Index: head/sys/kern/kern_ktrace.c =================================================================== --- head/sys/kern/kern_ktrace.c (revision 102111) +++ head/sys/kern/kern_ktrace.c (revision 102112) @@ -1,858 +1,858 @@ /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)kern_ktrace.c 8.2 (Berkeley) 9/23/93 * $FreeBSD$ */ #include "opt_ktrace.h" #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static MALLOC_DEFINE(M_KTRACE, "KTRACE", "KTRACE"); #ifdef KTRACE #ifndef KTRACE_REQUEST_POOL #define KTRACE_REQUEST_POOL 100 #endif struct ktr_request { struct ktr_header ktr_header; struct ucred *ktr_cred; struct vnode *ktr_vp; union { struct ktr_syscall ktr_syscall; struct ktr_sysret ktr_sysret; struct ktr_genio ktr_genio; struct ktr_psig ktr_psig; struct ktr_csw ktr_csw; } ktr_data; int ktr_synchronous; STAILQ_ENTRY(ktr_request) ktr_list; }; static int data_lengths[] = { 0, /* none */ offsetof(struct ktr_syscall, ktr_args), /* KTR_SYSCALL */ sizeof(struct ktr_sysret), /* KTR_SYSRET */ 0, /* KTR_NAMEI */ sizeof(struct ktr_genio), /* KTR_GENIO */ sizeof(struct ktr_psig), /* KTR_PSIG */ sizeof(struct ktr_csw), /* KTR_CSW */ 0 /* KTR_USER */ }; static STAILQ_HEAD(, ktr_request) ktr_todo; static STAILQ_HEAD(, ktr_request) ktr_free; static uint ktr_requestpool = KTRACE_REQUEST_POOL; TUNABLE_INT("kern.ktrace_request_pool", &ktr_requestpool); static int print_message = 1; struct mtx ktrace_mtx; static struct sema ktrace_sema; static void ktrace_init(void *dummy); static int sysctl_kern_ktrace_request_pool(SYSCTL_HANDLER_ARGS); static uint ktrace_resize_pool(uint newsize); static struct ktr_request *ktr_getrequest(int type); static void ktr_submitrequest(struct ktr_request *req); static void ktr_freerequest(struct ktr_request *req); static void ktr_loop(void *dummy); static void ktr_writerequest(struct ktr_request *req); static int ktrcanset(struct thread *,struct proc *); static int ktrsetchildren(struct thread *,struct proc *,int,int,struct vnode *); static int ktrops(struct thread *,struct proc *,int,int,struct vnode *); static void ktrace_init(void *dummy) { struct ktr_request *req; int i; mtx_init(&ktrace_mtx, "ktrace", NULL, MTX_DEF | MTX_QUIET); sema_init(&ktrace_sema, 0, "ktrace"); STAILQ_INIT(&ktr_todo); STAILQ_INIT(&ktr_free); for (i = 0; i < ktr_requestpool; i++) { req = malloc(sizeof(struct ktr_request), M_KTRACE, M_WAITOK); STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list); } kthread_create(ktr_loop, NULL, NULL, RFHIGHPID, "ktrace"); } SYSINIT(ktrace_init, SI_SUB_KTRACE, SI_ORDER_ANY, ktrace_init, NULL); static int sysctl_kern_ktrace_request_pool(SYSCTL_HANDLER_ARGS) { struct thread *td; uint newsize, oldsize, wantsize; int error; /* Handle easy read-only case first to avoid warnings from GCC. */ if (!req->newptr) { mtx_lock(&ktrace_mtx); oldsize = ktr_requestpool; mtx_unlock(&ktrace_mtx); return (SYSCTL_OUT(req, &oldsize, sizeof(uint))); } error = SYSCTL_IN(req, &wantsize, sizeof(uint)); if (error) return (error); td = curthread; td->td_inktrace = 1; mtx_lock(&ktrace_mtx); oldsize = ktr_requestpool; newsize = ktrace_resize_pool(wantsize); mtx_unlock(&ktrace_mtx); td->td_inktrace = 0; error = SYSCTL_OUT(req, &oldsize, sizeof(uint)); if (error) return (error); if (newsize != wantsize) return (ENOSPC); return (0); } SYSCTL_PROC(_kern, OID_AUTO, ktrace_request_pool, CTLTYPE_UINT|CTLFLAG_RW, &ktr_requestpool, 0, sysctl_kern_ktrace_request_pool, "IU", ""); static uint ktrace_resize_pool(uint newsize) { struct ktr_request *req; mtx_assert(&ktrace_mtx, MA_OWNED); print_message = 1; if (newsize == ktr_requestpool) return (newsize); if (newsize < ktr_requestpool) /* Shrink pool down to newsize if possible. */ while (ktr_requestpool > newsize) { req = STAILQ_FIRST(&ktr_free); if (req == NULL) return (ktr_requestpool); STAILQ_REMOVE_HEAD(&ktr_free, ktr_list); ktr_requestpool--; mtx_unlock(&ktrace_mtx); free(req, M_KTRACE); mtx_lock(&ktrace_mtx); } else /* Grow pool up to newsize. */ while (ktr_requestpool < newsize) { mtx_unlock(&ktrace_mtx); req = malloc(sizeof(struct ktr_request), M_KTRACE, M_WAITOK); mtx_lock(&ktrace_mtx); STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list); ktr_requestpool++; } return (ktr_requestpool); } static struct ktr_request * ktr_getrequest(int type) { struct ktr_request *req; struct thread *td = curthread; struct proc *p = td->td_proc; int pm; td->td_inktrace = 1; mtx_lock(&ktrace_mtx); if (!KTRCHECK(td, type)) { mtx_unlock(&ktrace_mtx); td->td_inktrace = 0; return (NULL); } req = STAILQ_FIRST(&ktr_free); if (req != NULL) { STAILQ_REMOVE_HEAD(&ktr_free, ktr_list); req->ktr_header.ktr_type = type; KASSERT(p->p_tracep != NULL, ("ktrace: no trace vnode")); req->ktr_vp = p->p_tracep; VREF(p->p_tracep); mtx_unlock(&ktrace_mtx); microtime(&req->ktr_header.ktr_time); req->ktr_header.ktr_pid = p->p_pid; bcopy(p->p_comm, req->ktr_header.ktr_comm, MAXCOMLEN + 1); req->ktr_cred = crhold(td->td_ucred); req->ktr_header.ktr_buffer = NULL; req->ktr_header.ktr_len = 0; req->ktr_synchronous = 0; } else { pm = print_message; print_message = 0; mtx_unlock(&ktrace_mtx); if (pm) printf("Out of ktrace request objects.\n"); td->td_inktrace = 0; } return (req); } static void ktr_submitrequest(struct ktr_request *req) { mtx_lock(&ktrace_mtx); STAILQ_INSERT_TAIL(&ktr_todo, req, ktr_list); sema_post(&ktrace_sema); if (req->ktr_synchronous) { /* * For a synchronous request, we wait for the ktrace thread * to get to our item in the todo list and wake us up. Then * we write the request out ourselves and wake the ktrace * thread back up. */ msleep(req, &ktrace_mtx, curthread->td_priority, "ktrsync", 0); mtx_unlock(&ktrace_mtx); ktr_writerequest(req); mtx_lock(&ktrace_mtx); wakeup(req); } mtx_unlock(&ktrace_mtx); curthread->td_inktrace = 0; } static void ktr_freerequest(struct ktr_request *req) { crfree(req->ktr_cred); if (req->ktr_vp != NULL) { mtx_lock(&Giant); vrele(req->ktr_vp); mtx_unlock(&Giant); } mtx_lock(&ktrace_mtx); STAILQ_INSERT_HEAD(&ktr_free, req, ktr_list); mtx_unlock(&ktrace_mtx); } static void ktr_loop(void *dummy) { struct ktr_request *req; struct thread *td; struct ucred *cred; /* Only cache these values once. */ td = curthread; cred = td->td_ucred; for (;;) { sema_wait(&ktrace_sema); mtx_lock(&ktrace_mtx); req = STAILQ_FIRST(&ktr_todo); STAILQ_REMOVE_HEAD(&ktr_todo, ktr_list); KASSERT(req != NULL, ("got a NULL request")); if (req->ktr_synchronous) { wakeup(req); msleep(req, &ktrace_mtx, curthread->td_priority, "ktrwait", 0); mtx_unlock(&ktrace_mtx); } else { mtx_unlock(&ktrace_mtx); /* * It is not enough just to pass the cached cred * to the VOP's in ktr_writerequest(). Some VFS * operations use curthread->td_ucred, so we need * to modify our thread's credentials as well. * Evil. */ td->td_ucred = req->ktr_cred; ktr_writerequest(req); td->td_ucred = cred; } ktr_freerequest(req); } } /* * MPSAFE */ void ktrsyscall(code, narg, args) int code, narg; register_t args[]; { struct ktr_request *req; struct ktr_syscall *ktp; size_t buflen; req = ktr_getrequest(KTR_SYSCALL); if (req == NULL) return; ktp = &req->ktr_data.ktr_syscall; ktp->ktr_code = code; ktp->ktr_narg = narg; buflen = sizeof(register_t) * narg; if (buflen > 0) { req->ktr_header.ktr_buffer = malloc(buflen, M_KTRACE, M_WAITOK); bcopy(args, req->ktr_header.ktr_buffer, buflen); req->ktr_header.ktr_len = buflen; } ktr_submitrequest(req); } /* * MPSAFE */ void ktrsysret(code, error, retval) int code, error; register_t retval; { struct ktr_request *req; struct ktr_sysret *ktp; req = ktr_getrequest(KTR_SYSRET); if (req == NULL) return; ktp = &req->ktr_data.ktr_sysret; ktp->ktr_code = code; ktp->ktr_error = error; ktp->ktr_retval = retval; /* what about val2 ? */ ktr_submitrequest(req); } void ktrnamei(path) char *path; { struct ktr_request *req; int namelen; req = ktr_getrequest(KTR_NAMEI); if (req == NULL) return; namelen = strlen(path); if (namelen > 0) { req->ktr_header.ktr_len = namelen; req->ktr_header.ktr_buffer = malloc(namelen, M_KTRACE, M_WAITOK); bcopy(path, req->ktr_header.ktr_buffer, namelen); } ktr_submitrequest(req); } /* * Since the uio may not stay valid, we can not hand off this request to * the thread and need to process it synchronously. However, we wish to * keep the relative order of records in a trace file correct, so we * do put this request on the queue (if it isn't empty) and then block. * The ktrace thread waks us back up when it is time for this event to * be posted and blocks until we have completed writing out the event * and woken it back up. */ void ktrgenio(fd, rw, uio, error) int fd; enum uio_rw rw; struct uio *uio; int error; { struct ktr_request *req; struct ktr_genio *ktg; if (error) return; req = ktr_getrequest(KTR_GENIO); if (req == NULL) return; ktg = &req->ktr_data.ktr_genio; ktg->ktr_fd = fd; ktg->ktr_rw = rw; req->ktr_header.ktr_buffer = uio; uio->uio_offset = 0; uio->uio_rw = UIO_WRITE; req->ktr_synchronous = 1; ktr_submitrequest(req); } void ktrpsig(sig, action, mask, code) int sig; sig_t action; sigset_t *mask; int code; { struct ktr_request *req; struct ktr_psig *kp; req = ktr_getrequest(KTR_PSIG); if (req == NULL) return; kp = &req->ktr_data.ktr_psig; kp->signo = (char)sig; kp->action = action; kp->mask = *mask; kp->code = code; ktr_submitrequest(req); } void ktrcsw(out, user) int out, user; { struct ktr_request *req; struct ktr_csw *kc; req = ktr_getrequest(KTR_CSW); if (req == NULL) return; kc = &req->ktr_data.ktr_csw; kc->out = out; kc->user = user; ktr_submitrequest(req); } #endif /* Interface and common routines */ /* * ktrace system call */ #ifndef _SYS_SYSPROTO_H_ struct ktrace_args { char *fname; int ops; int facs; int pid; }; #endif /* ARGSUSED */ int ktrace(td, uap) struct thread *td; register struct ktrace_args *uap; { #ifdef KTRACE register struct vnode *vp = NULL; register struct proc *p; struct pgrp *pg; int facs = uap->facs & ~KTRFAC_ROOT; int ops = KTROP(uap->ops); int descend = uap->ops & KTRFLAG_DESCEND; int ret = 0; int flags, error = 0; struct nameidata nd; td->td_inktrace = 1; if (ops != KTROP_CLEAR) { /* * an operation which requires a file argument. */ NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, uap->fname, td); flags = FREAD | FWRITE | O_NOFOLLOW; error = vn_open(&nd, &flags, 0); if (error) { td->td_inktrace = 0; return (error); } NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; VOP_UNLOCK(vp, 0, td); if (vp->v_type != VREG) { (void) vn_close(vp, FREAD|FWRITE, td->td_ucred, td); td->td_inktrace = 0; return (EACCES); } } /* * Clear all uses of the tracefile. */ if (ops == KTROP_CLEARFILE) { sx_slock(&allproc_lock); LIST_FOREACH(p, &allproc, p_list) { PROC_LOCK(p); if (p->p_tracep == vp) { if (ktrcanset(td, p)) { mtx_lock(&ktrace_mtx); p->p_tracep = NULL; p->p_traceflag = 0; mtx_unlock(&ktrace_mtx); PROC_UNLOCK(p); (void) vn_close(vp, FREAD|FWRITE, td->td_ucred, td); } else { PROC_UNLOCK(p); error = EPERM; } } else PROC_UNLOCK(p); } sx_sunlock(&allproc_lock); goto done; } /* * need something to (un)trace (XXX - why is this here?) */ if (!facs) { error = EINVAL; goto done; } /* * do it */ if (uap->pid < 0) { /* * by process group */ sx_slock(&proctree_lock); pg = pgfind(-uap->pid); if (pg == NULL) { sx_sunlock(&proctree_lock); error = ESRCH; goto done; } /* * ktrops() may call vrele(). Lock pg_members * by the proctree_lock rather than pg_mtx. */ PGRP_UNLOCK(pg); LIST_FOREACH(p, &pg->pg_members, p_pglist) if (descend) ret |= ktrsetchildren(td, p, ops, facs, vp); else ret |= ktrops(td, p, ops, facs, vp); sx_sunlock(&proctree_lock); } else { /* * by pid */ p = pfind(uap->pid); if (p == NULL) { error = ESRCH; goto done; } PROC_UNLOCK(p); /* XXX: UNLOCK above has a race */ if (descend) ret |= ktrsetchildren(td, p, ops, facs, vp); else ret |= ktrops(td, p, ops, facs, vp); } if (!ret) error = EPERM; done: if (vp != NULL) (void) vn_close(vp, FWRITE, td->td_ucred, td); td->td_inktrace = 0; return (error); #else return ENOSYS; #endif } /* * utrace system call */ /* ARGSUSED */ int utrace(td, uap) struct thread *td; register struct utrace_args *uap; { #ifdef KTRACE struct ktr_request *req; void *cp; if (uap->len > KTR_USER_MAXLEN) return (EINVAL); req = ktr_getrequest(KTR_USER); if (req == NULL) return (0); cp = malloc(uap->len, M_KTRACE, M_WAITOK); if (!copyin(uap->addr, cp, uap->len)) { req->ktr_header.ktr_buffer = cp; req->ktr_header.ktr_len = uap->len; ktr_submitrequest(req); } else { ktr_freerequest(req); td->td_inktrace = 0; } return (0); #else return (ENOSYS); #endif } #ifdef KTRACE static int ktrops(td, p, ops, facs, vp) struct thread *td; struct proc *p; int ops, facs; struct vnode *vp; { struct vnode *tracevp = NULL; PROC_LOCK(p); if (!ktrcanset(td, p)) { PROC_UNLOCK(p); return (0); } mtx_lock(&ktrace_mtx); if (ops == KTROP_SET) { if (p->p_tracep != vp) { /* * if trace file already in use, relinquish below */ tracevp = p->p_tracep; VREF(vp); p->p_tracep = vp; } p->p_traceflag |= facs; if (td->td_ucred->cr_uid == 0) p->p_traceflag |= KTRFAC_ROOT; } else { /* KTROP_CLEAR */ if (((p->p_traceflag &= ~facs) & KTRFAC_MASK) == 0) { /* no more tracing */ p->p_traceflag = 0; tracevp = p->p_tracep; p->p_tracep = NULL; } } mtx_unlock(&ktrace_mtx); PROC_UNLOCK(p); if (tracevp != NULL) vrele(tracevp); return (1); } static int ktrsetchildren(td, top, ops, facs, vp) struct thread *td; struct proc *top; int ops, facs; struct vnode *vp; { register struct proc *p; register int ret = 0; p = top; sx_slock(&proctree_lock); for (;;) { ret |= ktrops(td, p, ops, facs, vp); /* * If this process has children, descend to them next, * otherwise do any siblings, and if done with this level, * follow back up the tree (but not past top). */ if (!LIST_EMPTY(&p->p_children)) p = LIST_FIRST(&p->p_children); else for (;;) { if (p == top) { sx_sunlock(&proctree_lock); return (ret); } if (LIST_NEXT(p, p_sibling)) { p = LIST_NEXT(p, p_sibling); break; } p = p->p_pptr; } } /*NOTREACHED*/ } static void ktr_writerequest(struct ktr_request *req) { struct ktr_header *kth; struct vnode *vp; struct uio *uio = NULL; struct proc *p; struct thread *td; struct ucred *cred; struct uio auio; struct iovec aiov[3]; struct mount *mp; int datalen, buflen, vrele_count; int error; vp = req->ktr_vp; /* * If vp is NULL, the vp has been cleared out from under this * request, so just drop it. */ if (vp == NULL) return; kth = &req->ktr_header; datalen = data_lengths[kth->ktr_type]; buflen = kth->ktr_len; cred = req->ktr_cred; td = curthread; auio.uio_iov = &aiov[0]; auio.uio_offset = 0; auio.uio_segflg = UIO_SYSSPACE; auio.uio_rw = UIO_WRITE; aiov[0].iov_base = (caddr_t)kth; aiov[0].iov_len = sizeof(struct ktr_header); auio.uio_resid = sizeof(struct ktr_header); auio.uio_iovcnt = 1; auio.uio_td = td; if (datalen != 0) { aiov[1].iov_base = (caddr_t)&req->ktr_data; aiov[1].iov_len = datalen; auio.uio_resid += datalen; auio.uio_iovcnt++; kth->ktr_len += datalen; } if (buflen != 0) { KASSERT(kth->ktr_buffer != NULL, ("ktrace: nothing to write")); aiov[auio.uio_iovcnt].iov_base = kth->ktr_buffer; aiov[auio.uio_iovcnt].iov_len = buflen; auio.uio_resid += buflen; auio.uio_iovcnt++; } else uio = kth->ktr_buffer; KASSERT((uio == NULL) ^ (kth->ktr_type == KTR_GENIO), ("ktrace: uio and genio mismatch")); if (uio != NULL) kth->ktr_len += uio->uio_resid; mtx_lock(&Giant); vn_start_write(vp, &mp, V_WAIT); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); if (error == 0 && uio != NULL) { (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); error = VOP_WRITE(vp, uio, IO_UNIT | IO_APPEND, cred); } VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mtx_unlock(&Giant); if (buflen != 0) free(kth->ktr_buffer, M_KTRACE); if (!error) return; /* * If error encountered, give up tracing on this vnode. We defer * all the vrele()'s on the vnode until after we are finished walking * the various lists to avoid needlessly holding locks. */ log(LOG_NOTICE, "ktrace write failed, errno %d, tracing stopped\n", error); vrele_count = 0; /* * First, clear this vnode from being used by any processes in the * system. * XXX - If one process gets an EPERM writing to the vnode, should * we really do this? Other processes might have suitable * credentials for the operation. */ sx_slock(&allproc_lock); LIST_FOREACH(p, &allproc, p_list) { PROC_LOCK(p); if (p->p_tracep == vp) { mtx_lock(&ktrace_mtx); p->p_tracep = NULL; p->p_traceflag = 0; mtx_unlock(&ktrace_mtx); vrele_count++; } PROC_UNLOCK(p); } sx_sunlock(&allproc_lock); /* * Second, clear this vnode from any pending requests. */ mtx_lock(&ktrace_mtx); STAILQ_FOREACH(req, &ktr_todo, ktr_list) { if (req->ktr_vp == vp) { req->ktr_vp = NULL; vrele_count++; } } mtx_unlock(&ktrace_mtx); mtx_lock(&Giant); while (vrele_count-- > 0) vrele(vp); mtx_unlock(&Giant); } /* * Return true if caller has permission to set the ktracing state * of target. Essentially, the target can't possess any * more permissions than the caller. KTRFAC_ROOT signifies that * root previously set the tracing status on the target process, and * so, only root may further change it. */ static int ktrcanset(td, targetp) struct thread *td; struct proc *targetp; { PROC_LOCK_ASSERT(targetp, MA_OWNED); if (targetp->p_traceflag & KTRFAC_ROOT && suser_cred(td->td_ucred, PRISON_ROOT)) return (0); if (p_candebug(td, targetp) != 0) return (0); return (1); } #endif /* KTRACE */ Index: head/sys/kern/kern_mac.c =================================================================== --- head/sys/kern/kern_mac.c (revision 102111) +++ head/sys/kern/kern_mac.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/kern/tty_tty.c =================================================================== --- head/sys/kern/tty_tty.c (revision 102111) +++ head/sys/kern/tty_tty.c (revision 102112) @@ -1,283 +1,283 @@ /*- * Copyright (c) 1982, 1986, 1991, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)tty_tty.c 8.2 (Berkeley) 9/23/93 * $FreeBSD$ */ /* * Indirect driver for controlling tty. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include static d_open_t cttyopen; static d_read_t cttyread; static d_write_t cttywrite; static d_ioctl_t cttyioctl; static d_poll_t cttypoll; #define CDEV_MAJOR 1 static struct cdevsw ctty_cdevsw = { /* open */ cttyopen, /* close */ nullclose, /* read */ cttyread, /* write */ cttywrite, /* ioctl */ cttyioctl, /* poll */ cttypoll, /* mmap */ nommap, /* strategy */ nostrategy, /* name */ "ctty", /* maj */ CDEV_MAJOR, /* dump */ nodump, /* psize */ nopsize, /* flags */ D_TTY, }; #define cttyvp(td) ((td)->td_proc->p_flag & P_CONTROLT ? (td)->td_proc->p_session->s_ttyvp : NULL) /*ARGSUSED*/ static int cttyopen(dev, flag, mode, td) dev_t dev; int flag, mode; struct thread *td; { struct vnode *ttyvp; int error; PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); ttyvp = cttyvp(td); SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); if (ttyvp == NULL) return (ENXIO); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC error = mac_check_vnode_open(td->td_ucred, ttyvp, flag); if (error) { VOP_UNLOCK(ttyvp, 0, td); return (error); } #endif error = VOP_OPEN(ttyvp, flag, NOCRED, td); VOP_UNLOCK(ttyvp, 0, td); return (error); } /*ARGSUSED*/ static int cttyread(dev, uio, flag) dev_t dev; struct uio *uio; int flag; { struct thread *td = uio->uio_td; register struct vnode *ttyvp; int error; PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); ttyvp = cttyvp(td); SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); if (ttyvp == NULL) return (EIO); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_READ(ttyvp, uio, flag, NOCRED); VOP_UNLOCK(ttyvp, 0, td); return (error); } /*ARGSUSED*/ static int cttywrite(dev, uio, flag) dev_t dev; struct uio *uio; int flag; { struct thread *td = uio->uio_td; struct vnode *ttyvp; struct mount *mp; int error; PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); ttyvp = cttyvp(td); SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); if (ttyvp == NULL) return (EIO); mp = NULL; if (ttyvp->v_type != VCHR && (error = vn_start_write(ttyvp, &mp, V_WAIT | PCATCH)) != 0) return (error); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_WRITE(ttyvp, uio, flag, NOCRED); VOP_UNLOCK(ttyvp, 0, td); vn_finished_write(mp); return (error); } /*ARGSUSED*/ static int cttyioctl(dev, cmd, addr, flag, td) dev_t dev; u_long cmd; caddr_t addr; int flag; struct thread *td; { struct vnode *ttyvp; int error; PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); ttyvp = cttyvp(td); SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); if (ttyvp == NULL) return (EIO); if (cmd == TIOCSCTTY) /* don't allow controlling tty to be set */ return EINVAL; /* to controlling tty -- infinite recursion */ if (cmd == TIOCNOTTY) { PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); error = 0; if (!SESS_LEADER(td->td_proc)) td->td_proc->p_flag &= ~P_CONTROLT; else error = EINVAL; SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); return (error); } /* XXXMAC: Should this be td->td_ucred below? */ return (VOP_IOCTL(ttyvp, cmd, addr, flag, NOCRED, td)); } /*ARGSUSED*/ static int cttypoll(dev, events, td) dev_t dev; int events; struct thread *td; { struct vnode *ttyvp; #ifdef MAC int error; #endif PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); ttyvp = cttyvp(td); SESS_UNLOCK(td->td_proc->p_session); PROC_UNLOCK(td->td_proc); if (ttyvp == NULL) /* try operation to get EOF/failure */ return (seltrue(dev, events, td)); #ifdef MAC vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(td->td_ucred, ttyvp); VOP_UNLOCK(ttyvp, 0, td); if (error) return (error); #endif return (VOP_POLL(ttyvp, events, td->td_ucred, td)); } static void ctty_clone(void *arg, char *name, int namelen, dev_t *dev); static dev_t ctty; static void ctty_clone(void *arg, char *name, int namelen, dev_t *dev) { struct vnode *vp; if (*dev != NODEV) return; if (strcmp(name, "tty")) return; vp = cttyvp(curthread); if (vp == NULL) { if (ctty) *dev = ctty; } else *dev = vp->v_rdev; } static void ctty_drvinit(void *unused); static void ctty_drvinit(unused) void *unused; { if (devfs_present) { EVENTHANDLER_REGISTER(dev_clone, ctty_clone, 0, 1000); ctty = make_dev(&ctty_cdevsw, 0, 0, 0, 0666, "ctty"); } else { make_dev(&ctty_cdevsw, 0, 0, 0, 0666, "tty"); } } SYSINIT(cttydev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ctty_drvinit,NULL) Index: head/sys/kern/vfs_extattr.c =================================================================== --- head/sys/kern/vfs_extattr.c (revision 102111) +++ head/sys/kern/vfs_extattr.c (revision 102112) @@ -1,3966 +1,3962 @@ /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94 * $FreeBSD$ */ /* For 4.3 integer FS ID compatibility */ #include "opt_compat.h" #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static int change_dir(struct nameidata *ndp, struct thread *td); static int chroot_refuse_vdir_fds(struct filedesc *fdp); static int getutimes(const struct timeval *, struct timespec *); static int setfown(struct thread *td, struct vnode *, uid_t, gid_t); static int setfmode(struct thread *td, struct vnode *, int); static int setfflags(struct thread *td, struct vnode *, int); static int setutimes(struct thread *td, struct vnode *, const struct timespec *, int, int); static int vn_access(struct vnode *vp, int user_flags, struct ucred *cred, struct thread *td); int (*union_dircheckp)(struct thread *td, struct vnode **, struct file *); int (*softdep_fsync_hook)(struct vnode *); /* * Sync each mounted filesystem. */ #ifndef _SYS_SYSPROTO_H_ struct sync_args { int dummy; }; #endif #ifdef DEBUG static int syncprt = 0; SYSCTL_INT(_debug, OID_AUTO, syncprt, CTLFLAG_RW, &syncprt, 0, ""); #endif /* ARGSUSED */ int sync(td, uap) struct thread *td; struct sync_args *uap; { struct mount *mp, *nmp; int asyncflag; mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } if ((mp->mnt_flag & MNT_RDONLY) == 0 && vn_start_write(NULL, &mp, V_NOWAIT) == 0) { asyncflag = mp->mnt_flag & MNT_ASYNC; mp->mnt_flag &= ~MNT_ASYNC; vfs_msync(mp, MNT_NOWAIT); VFS_SYNC(mp, MNT_NOWAIT, ((td != NULL) ? td->td_ucred : NOCRED), td); mp->mnt_flag |= asyncflag; vn_finished_write(mp); } mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); } mtx_unlock(&mountlist_mtx); #if 0 /* * XXX don't call vfs_bufstats() yet because that routine * was not imported in the Lite2 merge. */ #ifdef DIAGNOSTIC if (syncprt) vfs_bufstats(); #endif /* DIAGNOSTIC */ #endif return (0); } /* XXX PRISON: could be per prison flag */ static int prison_quotas; #if 0 SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, ""); #endif /* * Change filesystem quotas. */ #ifndef _SYS_SYSPROTO_H_ struct quotactl_args { char *path; int cmd; int uid; caddr_t arg; }; #endif /* ARGSUSED */ int quotactl(td, uap) struct thread *td; register struct quotactl_args /* { syscallarg(char *) path; syscallarg(int) cmd; syscallarg(int) uid; syscallarg(caddr_t) arg; } */ *uap; { struct mount *mp; int error; struct nameidata nd; if (jailed(td->td_ucred) && !prison_quotas) return (EPERM); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); vrele(nd.ni_vp); if (error) return (error); error = VFS_QUOTACTL(mp, SCARG(uap, cmd), SCARG(uap, uid), SCARG(uap, arg), td); vn_finished_write(mp); return (error); } /* * Get filesystem statistics. */ #ifndef _SYS_SYSPROTO_H_ struct statfs_args { char *path; struct statfs *buf; }; #endif /* ARGSUSED */ int statfs(td, uap) struct thread *td; register struct statfs_args /* { syscallarg(char *) path; syscallarg(struct statfs *) buf; } */ *uap; { register struct mount *mp; register struct statfs *sp; int error; struct nameidata nd; struct statfs sb; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); mp = nd.ni_vp->v_mount; sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif error = VFS_STATFS(mp, sp, td); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Get filesystem statistics. */ #ifndef _SYS_SYSPROTO_H_ struct fstatfs_args { int fd; struct statfs *buf; }; #endif /* ARGSUSED */ int fstatfs(td, uap) struct thread *td; register struct fstatfs_args /* { syscallarg(int) fd; syscallarg(struct statfs *) buf; } */ *uap; { struct file *fp; struct mount *mp; register struct statfs *sp; int error; struct statfs sb; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); mp = ((struct vnode *)fp->f_data)->v_mount; fdrop(fp, td); if (mp == NULL) return (EBADF); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif sp = &mp->mnt_stat; error = VFS_STATFS(mp, sp, td); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Get statistics on all filesystems. */ #ifndef _SYS_SYSPROTO_H_ struct getfsstat_args { struct statfs *buf; long bufsize; int flags; }; #endif int getfsstat(td, uap) struct thread *td; register struct getfsstat_args /* { syscallarg(struct statfs *) buf; syscallarg(long) bufsize; syscallarg(int) flags; } */ *uap; { register struct mount *mp, *nmp; register struct statfs *sp; caddr_t sfsp; long count, maxcount, error; maxcount = SCARG(uap, bufsize) / sizeof(struct statfs); sfsp = (caddr_t)SCARG(uap, buf); count = 0; mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { #ifdef MAC if (mac_check_mount_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } #endif if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } if (sfsp && count < maxcount) { sp = &mp->mnt_stat; /* * If MNT_NOWAIT or MNT_LAZY is specified, do not * refresh the fsstat cache. MNT_NOWAIT or MNT_LAZY * overrides MNT_WAIT. */ if (((SCARG(uap, flags) & (MNT_LAZY|MNT_NOWAIT)) == 0 || (SCARG(uap, flags) & MNT_WAIT)) && (error = VFS_STATFS(mp, sp, td))) { mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); continue; } sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; error = copyout(sp, sfsp, sizeof(*sp)); if (error) { vfs_unbusy(mp, td); return (error); } sfsp += sizeof(*sp); } count++; mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); } mtx_unlock(&mountlist_mtx); if (sfsp && count > maxcount) td->td_retval[0] = maxcount; else td->td_retval[0] = count; return (0); } /* * Change current working directory to a given file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchdir_args { int fd; }; #endif /* ARGSUSED */ int fchdir(td, uap) struct thread *td; struct fchdir_args /* { syscallarg(int) fd; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; struct vnode *vp, *tdp, *vpold; struct mount *mp; struct file *fp; int error; if ((error = getvnode(fdp, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; VREF(vp); fdrop(fp, td); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); while (!error && (mp = vp->v_mountedhere) != NULL) { if (vfs_busy(mp, 0, 0, td)) continue; error = VFS_ROOT(mp, &tdp); vfs_unbusy(mp, td); if (error) break; vput(vp); vp = tdp; } if (error) { vput(vp); return (error); } VOP_UNLOCK(vp, 0, td); FILEDESC_LOCK(fdp); vpold = fdp->fd_cdir; fdp->fd_cdir = vp; FILEDESC_UNLOCK(fdp); vrele(vpold); return (0); } /* * Change current working directory (``.''). */ #ifndef _SYS_SYSPROTO_H_ struct chdir_args { char *path; }; #endif /* ARGSUSED */ int chdir(td, uap) struct thread *td; struct chdir_args /* { syscallarg(char *) path; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; int error; struct nameidata nd; struct vnode *vp; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = change_dir(&nd, td)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); FILEDESC_LOCK(fdp); vp = fdp->fd_cdir; fdp->fd_cdir = nd.ni_vp; FILEDESC_UNLOCK(fdp); vrele(vp); return (0); } /* * Helper function for raised chroot(2) security function: Refuse if * any filedescriptors are open directories. */ static int chroot_refuse_vdir_fds(fdp) struct filedesc *fdp; { struct vnode *vp; struct file *fp; int fd; FILEDESC_LOCK_ASSERT(fdp, MA_OWNED); for (fd = 0; fd < fdp->fd_nfiles ; fd++) { fp = fget_locked(fdp, fd); if (fp == NULL) continue; if (fp->f_type == DTYPE_VNODE) { vp = (struct vnode *)fp->f_data; if (vp->v_type == VDIR) return (EPERM); } } return (0); } /* * This sysctl determines if we will allow a process to chroot(2) if it * has a directory open: * 0: disallowed for all processes. * 1: allowed for processes that were not already chroot(2)'ed. * 2: allowed for all processes. */ static int chroot_allow_open_directories = 1; SYSCTL_INT(_kern, OID_AUTO, chroot_allow_open_directories, CTLFLAG_RW, &chroot_allow_open_directories, 0, ""); /* * Change notion of root (``/'') directory. */ #ifndef _SYS_SYSPROTO_H_ struct chroot_args { char *path; }; #endif /* ARGSUSED */ int chroot(td, uap) struct thread *td; struct chroot_args /* { syscallarg(char *) path; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; int error; struct nameidata nd; struct vnode *vp; error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); mtx_lock(&Giant); if ((error = change_dir(&nd, td)) != 0) goto error; #ifdef MAC if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) goto error; #endif FILEDESC_LOCK(fdp); if (chroot_allow_open_directories == 0 || (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) { error = chroot_refuse_vdir_fds(fdp); if (error) goto error_unlock; } vp = fdp->fd_rdir; fdp->fd_rdir = nd.ni_vp; if (!fdp->fd_jdir) { fdp->fd_jdir = nd.ni_vp; VREF(fdp->fd_jdir); } FILEDESC_UNLOCK(fdp); NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); mtx_unlock(&Giant); return (0); error_unlock: FILEDESC_UNLOCK(fdp); error: mtx_unlock(&Giant); NDFREE(&nd, 0); return (error); } /* * Common routine for chroot and chdir. */ static int change_dir(ndp, td) register struct nameidata *ndp; struct thread *td; { struct vnode *vp; int error; error = namei(ndp); if (error) return (error); vp = ndp->ni_vp; if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); if (error) vput(vp); else VOP_UNLOCK(vp, 0, td); return (error); } /* * Check permissions, allocate an open file structure, * and call the device open routine if any. */ #ifndef _SYS_SYSPROTO_H_ struct open_args { char *path; int flags; int mode; }; #endif int open(td, uap) struct thread *td; register struct open_args /* { syscallarg(char *) path; syscallarg(int) flags; syscallarg(int) mode; } */ *uap; { struct proc *p = td->td_proc; struct filedesc *fdp = p->p_fd; struct file *fp; struct vnode *vp; struct vattr vat; struct mount *mp; int cmode, flags, oflags; struct file *nfp; int type, indx, error; struct flock lf; struct nameidata nd; oflags = SCARG(uap, flags); if ((oflags & O_ACCMODE) == O_ACCMODE) return (EINVAL); flags = FFLAGS(oflags); error = falloc(td, &nfp, &indx); if (error) return (error); fp = nfp; FILEDESC_LOCK(fdp); cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; FILEDESC_UNLOCK(fdp); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); td->td_dupfd = -indx - 1; /* XXX check for fdopen */ /* * Bump the ref count to prevent another process from closing * the descriptor while we are blocked in vn_open() */ fhold(fp); error = vn_open(&nd, &flags, cmode); if (error) { /* * release our own reference */ fdrop(fp, td); /* * handle special fdopen() case. bleh. dupfdopen() is * responsible for dropping the old contents of ofiles[indx] * if it succeeds. */ if ((error == ENODEV || error == ENXIO) && td->td_dupfd >= 0 && /* XXX from fdopen */ (error = dupfdopen(td, fdp, indx, td->td_dupfd, flags, error)) == 0) { td->td_retval[0] = indx; return (0); } /* * Clean up the descriptor, but only if another thread hadn't * replaced or closed it. */ FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); if (error == ERESTART) error = EINTR; return (error); } td->td_dupfd = 0; NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; /* * There should be 2 references on the file, one from the descriptor * table, and one for us. * * Handle the case where someone closed the file (via its file * descriptor) while we were blocked. The end result should look * like opening the file succeeded but it was immediately closed. */ FILEDESC_LOCK(fdp); FILE_LOCK(fp); if (fp->f_count == 1) { KASSERT(fdp->fd_ofiles[indx] != fp, ("Open file descriptor lost all refs")); FILEDESC_UNLOCK(fdp); FILE_UNLOCK(fp); VOP_UNLOCK(vp, 0, td); vn_close(vp, flags & FMASK, fp->f_cred, td); fdrop(fp, td); td->td_retval[0] = indx; return 0; } /* assert that vn_open created a backing object if one is needed */ KASSERT(!vn_canvmio(vp) || VOP_GETVOBJECT(vp, NULL) == 0, ("open: vmio vnode has no backing object after vn_open")); fp->f_data = vp; fp->f_flag = flags & FMASK; fp->f_ops = &vnops; fp->f_type = (vp->v_type == VFIFO ? DTYPE_FIFO : DTYPE_VNODE); FILEDESC_UNLOCK(fdp); FILE_UNLOCK(fp); VOP_UNLOCK(vp, 0, td); if (flags & (O_EXLOCK | O_SHLOCK)) { lf.l_whence = SEEK_SET; lf.l_start = 0; lf.l_len = 0; if (flags & O_EXLOCK) lf.l_type = F_WRLCK; else lf.l_type = F_RDLCK; type = F_FLOCK; if ((flags & FNONBLOCK) == 0) type |= F_WAIT; if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) goto bad; fp->f_flag |= FHASLOCK; } if (flags & O_TRUNC) { if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) goto bad; VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); VATTR_NULL(&vat); vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); if (error) goto bad; } /* * Release our private reference, leaving the one associated with * the descriptor table intact. */ fdrop(fp, td); td->td_retval[0] = indx; return (0); bad: FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); return (error); } #ifdef COMPAT_43 /* * Create a file. */ #ifndef _SYS_SYSPROTO_H_ struct ocreat_args { char *path; int mode; }; #endif int ocreat(td, uap) struct thread *td; register struct ocreat_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { struct open_args /* { syscallarg(char *) path; syscallarg(int) flags; syscallarg(int) mode; } */ nuap; SCARG(&nuap, path) = SCARG(uap, path); SCARG(&nuap, mode) = SCARG(uap, mode); SCARG(&nuap, flags) = O_WRONLY | O_CREAT | O_TRUNC; return (open(td, &nuap)); } #endif /* COMPAT_43 */ /* * Create a special file. */ #ifndef _SYS_SYSPROTO_H_ struct mknod_args { char *path; int mode; int dev; }; #endif /* ARGSUSED */ int mknod(td, uap) struct thread *td; register struct mknod_args /* { syscallarg(char *) path; syscallarg(int) mode; syscallarg(int) dev; } */ *uap; { struct vnode *vp; struct mount *mp; struct vattr vattr; int error; int whiteout = 0; struct nameidata nd; switch (SCARG(uap, mode) & S_IFMT) { case S_IFCHR: case S_IFBLK: error = suser(td); break; default: error = suser_cred(td->td_ucred, PRISON_ROOT); break; } if (error) return (error); restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp != NULL) { vrele(vp); error = EEXIST; } else { VATTR_NULL(&vattr); FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (SCARG(uap, mode) & ALLPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); vattr.va_rdev = SCARG(uap, dev); whiteout = 0; switch (SCARG(uap, mode) & S_IFMT) { case S_IFMT: /* used by badsect to flag bad sectors */ vattr.va_type = VBAD; break; case S_IFCHR: vattr.va_type = VCHR; break; case S_IFBLK: vattr.va_type = VBLK; break; case S_IFWHT: whiteout = 1; break; default: error = EINVAL; break; } } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } if (!error) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); if (whiteout) error = VOP_WHITEOUT(nd.ni_dvp, &nd.ni_cnd, CREATE); else { error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); if (error == 0) vput(nd.ni_vp); } } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "mknod"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "mknod"); return (error); } /* * Create a named pipe. */ #ifndef _SYS_SYSPROTO_H_ struct mkfifo_args { char *path; int mode; }; #endif /* ARGSUSED */ int mkfifo(td, uap) struct thread *td; register struct mkfifo_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { struct mount *mp; struct vattr vattr; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); if (nd.ni_vp != NULL) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); vattr.va_type = VFIFO; FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (SCARG(uap, mode) & ALLPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); if (error == 0) vput(nd.ni_vp); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); return (error); } /* * Make a hard file link. */ #ifndef _SYS_SYSPROTO_H_ struct link_args { char *path; char *link; }; #endif /* ARGSUSED */ int link(td, uap) struct thread *td; register struct link_args /* { syscallarg(char *) path; syscallarg(char *) link; } */ *uap; { struct vnode *vp; struct mount *mp; struct nameidata nd; int error; bwillwrite(); NDINIT(&nd, LOOKUP, FOLLOW|NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; if (vp->v_type == VDIR) { vrele(vp); return (EPERM); /* POSIX */ } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } NDINIT(&nd, CREATE, LOCKPARENT | NOOBJ | SAVENAME, UIO_USERSPACE, SCARG(uap, link), td); if ((error = namei(&nd)) == 0) { if (nd.ni_vp != NULL) { vrele(nd.ni_vp); error = EEXIST; } else { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); } vrele(vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "link"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "link"); return (error); } /* * Make a symbolic link. */ #ifndef _SYS_SYSPROTO_H_ struct symlink_args { char *path; char *link; }; #endif /* ARGSUSED */ int symlink(td, uap) struct thread *td; register struct symlink_args /* { syscallarg(char *) path; syscallarg(char *) link; } */ *uap; { struct mount *mp; struct vattr vattr; char *path; int error; struct nameidata nd; path = uma_zalloc(namei_zone, M_WAITOK); if ((error = copyinstr(SCARG(uap, path), path, MAXPATHLEN, NULL)) != 0) goto out; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | NOOBJ | SAVENAME, UIO_USERSPACE, SCARG(uap, link), td); if ((error = namei(&nd)) != 0) goto out; if (nd.ni_vp) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); vput(nd.ni_dvp); error = EEXIST; goto out; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = ACCESSPERMS &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_SYMLINK(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr, path); NDFREE(&nd, NDF_ONLY_PNBUF); if (error == 0) vput(nd.ni_vp); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "symlink"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "symlink"); out: uma_zfree(namei_zone, path); return (error); } /* * Delete a whiteout from the filesystem. */ /* ARGSUSED */ int undelete(td, uap) struct thread *td; register struct undelete_args /* { syscallarg(char *) path; } */ *uap; { int error; struct mount *mp; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT|DOWHITEOUT, UIO_USERSPACE, SCARG(uap, path), td); error = namei(&nd); if (error) return (error); if (nd.ni_vp != NULLVP || !(nd.ni_cnd.cn_flags & ISWHITEOUT)) { NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_vp) vrele(nd.ni_vp); vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_WHITEOUT(nd.ni_dvp, &nd.ni_cnd, DELETE); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "undelete"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "undelete"); return (error); } /* * Delete a name from the filesystem. */ #ifndef _SYS_SYSPROTO_H_ struct unlink_args { char *path; }; #endif /* ARGSUSED */ int unlink(td, uap) struct thread *td; struct unlink_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp->v_type == VDIR) error = EPERM; /* POSIX */ else { /* * The root of a mounted filesystem cannot be deleted. * * XXX: can this only be a VDIR case? */ mp_fixme("Accessing vflags w/o the vn lock."); if (vp->v_vflag & VV_ROOT) error = EBUSY; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (!error) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_REMOVE(nd.ni_dvp, vp, &nd.ni_cnd); } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vput(vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "unlink"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "unlink"); return (error); } /* * Reposition read/write file offset. */ #ifndef _SYS_SYSPROTO_H_ struct lseek_args { int fd; int pad; off_t offset; int whence; }; #endif int lseek(td, uap) struct thread *td; register struct lseek_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) offset; syscallarg(int) whence; } */ *uap; { struct ucred *cred = td->td_ucred; struct file *fp; struct vnode *vp; struct vattr vattr; off_t offset; int error, noneg; if ((error = fget(td, uap->fd, &fp)) != 0) return (error); if (fp->f_type != DTYPE_VNODE) { fdrop(fp, td); return (ESPIPE); } vp = (struct vnode *)fp->f_data; noneg = (vp->v_type != VCHR); offset = SCARG(uap, offset); switch (SCARG(uap, whence)) { case L_INCR: if (noneg && (fp->f_offset < 0 || (offset > 0 && fp->f_offset > OFF_MAX - offset))) return (EOVERFLOW); offset += fp->f_offset; break; case L_XTND: vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = VOP_GETATTR(vp, &vattr, cred, td); VOP_UNLOCK(vp, 0, td); if (error) return (error); if (noneg && (vattr.va_size > OFF_MAX || (offset > 0 && vattr.va_size > OFF_MAX - offset))) return (EOVERFLOW); offset += vattr.va_size; break; case L_SET: break; default: fdrop(fp, td); return (EINVAL); } if (noneg && offset < 0) return (EINVAL); fp->f_offset = offset; *(off_t *)(td->td_retval) = fp->f_offset; fdrop(fp, td); return (0); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Reposition read/write file offset. */ #ifndef _SYS_SYSPROTO_H_ struct olseek_args { int fd; long offset; int whence; }; #endif int olseek(td, uap) struct thread *td; register struct olseek_args /* { syscallarg(int) fd; syscallarg(long) offset; syscallarg(int) whence; } */ *uap; { struct lseek_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) offset; syscallarg(int) whence; } */ nuap; int error; SCARG(&nuap, fd) = SCARG(uap, fd); SCARG(&nuap, offset) = SCARG(uap, offset); SCARG(&nuap, whence) = SCARG(uap, whence); error = lseek(td, &nuap); return (error); } #endif /* COMPAT_43 */ /* * Check access permissions using passed credentials. */ static int vn_access(vp, user_flags, cred, td) struct vnode *vp; int user_flags; struct ucred *cred; struct thread *td; { int error, flags; /* Flags == 0 means only check for existence. */ error = 0; if (user_flags) { flags = 0; if (user_flags & R_OK) flags |= VREAD; if (user_flags & W_OK) flags |= VWRITE; if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC error = mac_check_vnode_access(cred, vp, flags); if (error) return (error); #endif if ((flags & VWRITE) == 0 || (error = vn_writechk(vp)) == 0) error = VOP_ACCESS(vp, flags, cred, td); } return (error); } /* * Check access permissions using "real" credentials. */ #ifndef _SYS_SYSPROTO_H_ struct access_args { char *path; int flags; }; #endif int access(td, uap) struct thread *td; register struct access_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { struct ucred *cred, *tmpcred; register struct vnode *vp; int error; struct nameidata nd; /* * Create and modify a temporary credential instead of one that * is potentially shared. This could also mess up socket * buffer accounting which can run in an interrupt context. * * XXX - Depending on how "threads" are finally implemented, it * may be better to explicitly pass the credential to namei() * rather than to modify the potentially shared process structure. */ cred = td->td_ucred; tmpcred = crdup(cred); tmpcred->cr_uid = cred->cr_ruid; tmpcred->cr_groups[0] = cred->cr_rgid; td->td_ucred = tmpcred; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) goto out1; vp = nd.ni_vp; error = vn_access(vp, SCARG(uap, flags), tmpcred, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); out1: td->td_ucred = cred; crfree(tmpcred); return (error); } /* * Check access permissions using "effective" credentials. */ #ifndef _SYS_SYSPROTO_H_ struct eaccess_args { char *path; int flags; }; #endif int eaccess(td, uap) struct thread *td; register struct eaccess_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { struct nameidata nd; struct vnode *vp; int error; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_access(vp, SCARG(uap, flags), td->td_ucred, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); return (error); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Get file status; this version follows links. */ #ifndef _SYS_SYSPROTO_H_ struct ostat_args { char *path; struct ostat *ub; }; #endif /* ARGSUSED */ int ostat(td, uap) struct thread *td; register struct ostat_args /* { syscallarg(char *) path; syscallarg(struct ostat *) ub; } */ *uap; { struct stat sb; struct ostat osb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); vput(nd.ni_vp); if (error) return (error); cvtstat(&sb, &osb); error = copyout(&osb, SCARG(uap, ub), sizeof (osb)); return (error); } /* * Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct olstat_args { char *path; struct ostat *ub; }; #endif /* ARGSUSED */ int olstat(td, uap) struct thread *td; register struct olstat_args /* { syscallarg(char *) path; syscallarg(struct ostat *) ub; } */ *uap; { struct vnode *vp; struct stat sb; struct ostat osb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); if (error) return (error); cvtstat(&sb, &osb); error = copyout(&osb, SCARG(uap, ub), sizeof (osb)); return (error); } /* * Convert from an old to a new stat structure. */ void cvtstat(st, ost) struct stat *st; struct ostat *ost; { ost->st_dev = st->st_dev; ost->st_ino = st->st_ino; ost->st_mode = st->st_mode; ost->st_nlink = st->st_nlink; ost->st_uid = st->st_uid; ost->st_gid = st->st_gid; ost->st_rdev = st->st_rdev; if (st->st_size < (quad_t)1 << 32) ost->st_size = st->st_size; else ost->st_size = -2; ost->st_atime = st->st_atime; ost->st_mtime = st->st_mtime; ost->st_ctime = st->st_ctime; ost->st_blksize = st->st_blksize; ost->st_blocks = st->st_blocks; ost->st_flags = st->st_flags; ost->st_gen = st->st_gen; } #endif /* COMPAT_43 || COMPAT_SUNOS */ /* * Get file status; this version follows links. */ #ifndef _SYS_SYSPROTO_H_ struct stat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int stat(td, uap) struct thread *td; register struct stat_args /* { syscallarg(char *) path; syscallarg(struct stat *) ub; } */ *uap; { struct stat sb; int error; struct nameidata nd; #ifdef LOOKUP_SHARED NDINIT(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); #else NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); #endif if ((error = namei(&nd)) != 0) return (error); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_vp); if (error) return (error); error = copyout(&sb, SCARG(uap, ub), sizeof (sb)); return (error); } /* * Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct lstat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int lstat(td, uap) struct thread *td; register struct lstat_args /* { syscallarg(char *) path; syscallarg(struct stat *) ub; } */ *uap; { int error; struct vnode *vp; struct stat sb; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); if (error) return (error); error = copyout(&sb, SCARG(uap, ub), sizeof (sb)); return (error); } /* * Implementation of the NetBSD stat() function. * XXX This should probably be collapsed with the FreeBSD version, * as the differences are only due to vn_stat() clearing spares at * the end of the structures. vn_stat could be split to avoid this, * and thus collapse the following to close to zero code. */ void cvtnstat(sb, nsb) struct stat *sb; struct nstat *nsb; { bzero(nsb, sizeof *nsb); nsb->st_dev = sb->st_dev; nsb->st_ino = sb->st_ino; nsb->st_mode = sb->st_mode; nsb->st_nlink = sb->st_nlink; nsb->st_uid = sb->st_uid; nsb->st_gid = sb->st_gid; nsb->st_rdev = sb->st_rdev; nsb->st_atimespec = sb->st_atimespec; nsb->st_mtimespec = sb->st_mtimespec; nsb->st_ctimespec = sb->st_ctimespec; nsb->st_size = sb->st_size; nsb->st_blocks = sb->st_blocks; nsb->st_blksize = sb->st_blksize; nsb->st_flags = sb->st_flags; nsb->st_gen = sb->st_gen; nsb->st_birthtimespec = sb->st_birthtimespec; } #ifndef _SYS_SYSPROTO_H_ struct nstat_args { char *path; struct nstat *ub; }; #endif /* ARGSUSED */ int nstat(td, uap) struct thread *td; register struct nstat_args /* { syscallarg(char *) path; syscallarg(struct nstat *) ub; } */ *uap; { struct stat sb; struct nstat nsb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); vput(nd.ni_vp); if (error) return (error); cvtnstat(&sb, &nsb); error = copyout(&nsb, SCARG(uap, ub), sizeof (nsb)); return (error); } /* * NetBSD lstat. Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct lstat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int nlstat(td, uap) struct thread *td; register struct nlstat_args /* { syscallarg(char *) path; syscallarg(struct nstat *) ub; } */ *uap; { int error; struct vnode *vp; struct stat sb; struct nstat nsb; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); vput(vp); if (error) return (error); cvtnstat(&sb, &nsb); error = copyout(&nsb, SCARG(uap, ub), sizeof (nsb)); return (error); } /* * Get configurable pathname variables. */ #ifndef _SYS_SYSPROTO_H_ struct pathconf_args { char *path; int name; }; #endif /* ARGSUSED */ int pathconf(td, uap) struct thread *td; register struct pathconf_args /* { syscallarg(char *) path; syscallarg(int) name; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = VOP_PATHCONF(nd.ni_vp, SCARG(uap, name), td->td_retval); vput(nd.ni_vp); return (error); } /* * Return target name of a symbolic link. */ #ifndef _SYS_SYSPROTO_H_ struct readlink_args { char *path; char *buf; int count; }; #endif /* ARGSUSED */ int readlink(td, uap) struct thread *td; register struct readlink_args /* { syscallarg(char *) path; syscallarg(char *) buf; syscallarg(int) count; } */ *uap; { register struct vnode *vp; struct iovec aiov; struct uio auio; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; #ifdef MAC error = mac_check_vnode_readlink(td->td_ucred, vp); if (error) { vput(vp); return (error); } #endif if (vp->v_type != VLNK) error = EINVAL; else { aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_offset = 0; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); error = VOP_READLINK(vp, &auio, td->td_ucred); } vput(vp); td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; return (error); } /* * Common implementation code for chflags() and fchflags(). */ static int setfflags(td, vp, flags) struct thread *td; struct vnode *vp; int flags; { int error; struct mount *mp; struct vattr vattr; /* * Prevent non-root users from setting flags on devices. When * a device is reused, users can retain ownership of the device * if they are allowed to set flags and programs assume that * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); if (error == 0) { #endif VATTR_NULL(&vattr); vattr.va_flags = flags; error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); #ifdef MAC } #endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } /* * Change flags of a file given a path name. */ #ifndef _SYS_SYSPROTO_H_ struct chflags_args { char *path; int flags; }; #endif /* ARGSUSED */ int chflags(td, uap) struct thread *td; register struct chflags_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfflags(td, nd.ni_vp, SCARG(uap, flags)); vrele(nd.ni_vp); return error; } /* * Same as chflags() but doesn't follow symlinks. */ int lchflags(td, uap) struct thread *td; register struct lchflags_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfflags(td, nd.ni_vp, SCARG(uap, flags)); vrele(nd.ni_vp); return error; } /* * Change flags of a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchflags_args { int fd; int flags; }; #endif /* ARGSUSED */ int fchflags(td, uap) struct thread *td; register struct fchflags_args /* { syscallarg(int) fd; syscallarg(int) flags; } */ *uap; { struct file *fp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); error = setfflags(td, (struct vnode *) fp->f_data, SCARG(uap, flags)); fdrop(fp, td); return (error); } /* * Common implementation code for chmod(), lchmod() and fchmod(). */ static int setfmode(td, vp, mode) struct thread *td; struct vnode *vp; int mode; { int error; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Change mode of a file given path name. */ #ifndef _SYS_SYSPROTO_H_ struct chmod_args { char *path; int mode; }; #endif /* ARGSUSED */ int chmod(td, uap) struct thread *td; register struct chmod_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfmode(td, nd.ni_vp, SCARG(uap, mode)); vrele(nd.ni_vp); return error; } /* * Change mode of a file given path name (don't follow links.) */ #ifndef _SYS_SYSPROTO_H_ struct lchmod_args { char *path; int mode; }; #endif /* ARGSUSED */ int lchmod(td, uap) struct thread *td; register struct lchmod_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfmode(td, nd.ni_vp, SCARG(uap, mode)); vrele(nd.ni_vp); return error; } /* * Change mode of a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchmod_args { int fd; int mode; }; #endif /* ARGSUSED */ int fchmod(td, uap) struct thread *td; register struct fchmod_args /* { syscallarg(int) fd; syscallarg(int) mode; } */ *uap; { struct file *fp; struct vnode *vp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = setfmode(td, (struct vnode *)fp->f_data, SCARG(uap, mode)); fdrop(fp, td); return (error); } /* * Common implementation for chown(), lchown(), and fchown() */ static int setfown(td, vp, uid, gid) struct thread *td; struct vnode *vp; uid_t uid; gid_t gid; { int error; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); VATTR_NULL(&vattr); vattr.va_uid = uid; vattr.va_gid = gid; #ifdef MAC error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid, vattr.va_gid); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Set ownership given a path name. */ #ifndef _SYS_SYSPROTO_H_ struct chown_args { char *path; int uid; int gid; }; #endif /* ARGSUSED */ int chown(td, uap) struct thread *td; register struct chown_args /* { syscallarg(char *) path; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfown(td, nd.ni_vp, SCARG(uap, uid), SCARG(uap, gid)); vrele(nd.ni_vp); return (error); } /* * Set ownership given a path name, do not cross symlinks. */ #ifndef _SYS_SYSPROTO_H_ struct lchown_args { char *path; int uid; int gid; }; #endif /* ARGSUSED */ int lchown(td, uap) struct thread *td; register struct lchown_args /* { syscallarg(char *) path; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfown(td, nd.ni_vp, SCARG(uap, uid), SCARG(uap, gid)); vrele(nd.ni_vp); return (error); } /* * Set ownership given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchown_args { int fd; int uid; int gid; }; #endif /* ARGSUSED */ int fchown(td, uap) struct thread *td; register struct fchown_args /* { syscallarg(int) fd; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { struct file *fp; struct vnode *vp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = setfown(td, (struct vnode *)fp->f_data, SCARG(uap, uid), SCARG(uap, gid)); fdrop(fp, td); return (error); } /* * Common implementation code for utimes(), lutimes(), and futimes(). */ static int getutimes(usrtvp, tsp) const struct timeval *usrtvp; struct timespec *tsp; { struct timeval tv[2]; int error; if (usrtvp == NULL) { microtime(&tv[0]); TIMEVAL_TO_TIMESPEC(&tv[0], &tsp[0]); tsp[1] = tsp[0]; } else { if ((error = copyin(usrtvp, tv, sizeof (tv))) != 0) return (error); TIMEVAL_TO_TIMESPEC(&tv[0], &tsp[0]); TIMEVAL_TO_TIMESPEC(&tv[1], &tsp[1]); } return 0; } /* * Common implementation code for utimes(), lutimes(), and futimes(). */ static int setutimes(td, vp, ts, numtimes, nullflag) struct thread *td; struct vnode *vp; const struct timespec *ts; int numtimes; int nullflag; { int error, setbirthtime; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); setbirthtime = 0; if (numtimes < 3 && VOP_GETATTR(vp, &vattr, td->td_ucred, td) == 0 && timespeccmp(&ts[1], &vattr.va_birthtime, < )) setbirthtime = 1; VATTR_NULL(&vattr); vattr.va_atime = ts[0]; vattr.va_mtime = ts[1]; if (setbirthtime) vattr.va_birthtime = ts[1]; if (numtimes > 2) vattr.va_birthtime = ts[2]; if (nullflag) vattr.va_vaflags |= VA_UTIMES_NULL; #ifdef MAC error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime, vattr.va_mtime); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct utimes_args { char *path; struct timeval *tptr; }; #endif /* ARGSUSED */ int utimes(td, uap) struct thread *td; register struct utimes_args /* { syscallarg(char *) path; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct timeval *usrtvp; int error; struct nameidata nd; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setutimes(td, nd.ni_vp, ts, 2, usrtvp == NULL); vrele(nd.ni_vp); return (error); } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct lutimes_args { char *path; struct timeval *tptr; }; #endif /* ARGSUSED */ int lutimes(td, uap) struct thread *td; register struct lutimes_args /* { syscallarg(char *) path; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct timeval *usrtvp; int error; struct nameidata nd; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setutimes(td, nd.ni_vp, ts, 2, usrtvp == NULL); vrele(nd.ni_vp); return (error); } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct futimes_args { int fd; struct timeval *tptr; }; #endif /* ARGSUSED */ int futimes(td, uap) struct thread *td; register struct futimes_args /* { syscallarg(int ) fd; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct file *fp; struct timeval *usrtvp; int error; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); error = setutimes(td, (struct vnode *)fp->f_data, ts, 2, usrtvp==NULL); fdrop(fp, td); return (error); } /* * Truncate a file given its path name. */ #ifndef _SYS_SYSPROTO_H_ struct truncate_args { char *path; int pad; off_t length; }; #endif /* ARGSUSED */ int truncate(td, uap) struct thread *td; register struct truncate_args /* { syscallarg(char *) path; syscallarg(int) pad; syscallarg(off_t) length; } */ *uap; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; if (uap->length < 0) return(EINVAL); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } NDFREE(&nd, NDF_ONLY_PNBUF); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { VATTR_NULL(&vattr); vattr.va_size = SCARG(uap, length); error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); } vput(vp); vn_finished_write(mp); return (error); } /* * Truncate a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct ftruncate_args { int fd; int pad; off_t length; }; #endif /* ARGSUSED */ int ftruncate(td, uap) struct thread *td; register struct ftruncate_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) length; } */ *uap; { struct mount *mp; struct vattr vattr; struct vnode *vp; struct file *fp; int error; if (uap->length < 0) return(EINVAL); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FWRITE) == 0) { fdrop(fp, td); return (EINVAL); } vp = (struct vnode *)fp->f_data; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { fdrop(fp, td); return (error); } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); vattr.va_size = SCARG(uap, length); error = VOP_SETATTR(vp, &vattr, fp->f_cred, td); } VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); fdrop(fp, td); return (error); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Truncate a file given its path name. */ #ifndef _SYS_SYSPROTO_H_ struct otruncate_args { char *path; long length; }; #endif /* ARGSUSED */ int otruncate(td, uap) struct thread *td; register struct otruncate_args /* { syscallarg(char *) path; syscallarg(long) length; } */ *uap; { struct truncate_args /* { syscallarg(char *) path; syscallarg(int) pad; syscallarg(off_t) length; } */ nuap; SCARG(&nuap, path) = SCARG(uap, path); SCARG(&nuap, length) = SCARG(uap, length); return (truncate(td, &nuap)); } /* * Truncate a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct oftruncate_args { int fd; long length; }; #endif /* ARGSUSED */ int oftruncate(td, uap) struct thread *td; register struct oftruncate_args /* { syscallarg(int) fd; syscallarg(long) length; } */ *uap; { struct ftruncate_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) length; } */ nuap; SCARG(&nuap, fd) = SCARG(uap, fd); SCARG(&nuap, length) = SCARG(uap, length); return (ftruncate(td, &nuap)); } #endif /* COMPAT_43 || COMPAT_SUNOS */ /* * Sync an open file. */ #ifndef _SYS_SYSPROTO_H_ struct fsync_args { int fd; }; #endif /* ARGSUSED */ int fsync(td, uap) struct thread *td; struct fsync_args /* { syscallarg(int) fd; } */ *uap; { struct vnode *vp; struct mount *mp; struct file *fp; vm_object_t obj; int error; GIANT_REQUIRED; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { fdrop(fp, td); return (error); } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (VOP_GETVOBJECT(vp, &obj) == 0) { vm_object_page_clean(obj, 0, 0, 0); } error = VOP_FSYNC(vp, fp->f_cred, MNT_WAIT, td); if (error == 0 && vp->v_mount && (vp->v_mount->mnt_flag & MNT_SOFTDEP) && softdep_fsync_hook != NULL) error = (*softdep_fsync_hook)(vp); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); fdrop(fp, td); return (error); } /* * Rename files. Source and destination must either both be directories, * or both not be directories. If target is a directory, it must be empty. */ #ifndef _SYS_SYSPROTO_H_ struct rename_args { char *from; char *to; }; #endif /* ARGSUSED */ int rename(td, uap) struct thread *td; register struct rename_args /* { syscallarg(char *) from; syscallarg(char *) to; } */ *uap; { struct mount *mp; struct vnode *tvp, *fvp, *tdvp; struct nameidata fromnd, tond; int error; bwillwrite(); NDINIT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE, SCARG(uap, from), td); if ((error = namei(&fromnd)) != 0) return (error); fvp = fromnd.ni_vp; if ((error = vn_start_write(fvp, &mp, V_WAIT | PCATCH)) != 0) { NDFREE(&fromnd, NDF_ONLY_PNBUF); vrele(fromnd.ni_dvp); vrele(fvp); goto out1; } NDINIT(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | SAVESTART | NOOBJ, UIO_USERSPACE, SCARG(uap, to), td); if (fromnd.ni_vp->v_type == VDIR) tond.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&tond)) != 0) { /* Translate error code for rename("dir1", "dir2/."). */ if (error == EISDIR && fvp->v_type == VDIR) error = EINVAL; NDFREE(&fromnd, NDF_ONLY_PNBUF); vrele(fromnd.ni_dvp); vrele(fvp); goto out1; } tdvp = tond.ni_dvp; tvp = tond.ni_vp; if (tvp != NULL) { if (fvp->v_type == VDIR && tvp->v_type != VDIR) { error = ENOTDIR; goto out; } else if (fvp->v_type != VDIR && tvp->v_type == VDIR) { error = EISDIR; goto out; } } if (fvp == tdvp) error = EINVAL; /* * If source is the same as the destination (that is the * same inode number with the same name in the same directory), * then there is nothing to do. */ if (fvp == tvp && fromnd.ni_dvp == tdvp && fromnd.ni_cnd.cn_namelen == tond.ni_cnd.cn_namelen && !bcmp(fromnd.ni_cnd.cn_nameptr, tond.ni_cnd.cn_nameptr, fromnd.ni_cnd.cn_namelen)) error = -1; out: if (!error) { VOP_LEASE(tdvp, td, td->td_ucred, LEASE_WRITE); if (fromnd.ni_dvp != tdvp) { VOP_LEASE(fromnd.ni_dvp, td, td->td_ucred, LEASE_WRITE); } if (tvp) { VOP_LEASE(tvp, td, td->td_ucred, LEASE_WRITE); } error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd, tond.ni_dvp, tond.ni_vp, &tond.ni_cnd); NDFREE(&fromnd, NDF_ONLY_PNBUF); NDFREE(&tond, NDF_ONLY_PNBUF); } else { NDFREE(&fromnd, NDF_ONLY_PNBUF); NDFREE(&tond, NDF_ONLY_PNBUF); if (tdvp == tvp) vrele(tdvp); else vput(tdvp); if (tvp) vput(tvp); vrele(fromnd.ni_dvp); vrele(fvp); } vrele(tond.ni_startdir); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(fromnd.ni_dvp, "rename"); ASSERT_VOP_UNLOCKED(fromnd.ni_vp, "rename"); ASSERT_VOP_UNLOCKED(tond.ni_dvp, "rename"); ASSERT_VOP_UNLOCKED(tond.ni_vp, "rename"); out1: if (fromnd.ni_startdir) vrele(fromnd.ni_startdir); if (error == -1) return (0); return (error); } /* * Make a directory file. */ #ifndef _SYS_SYSPROTO_H_ struct mkdir_args { char *path; int mode; }; #endif /* ARGSUSED */ int mkdir(td, uap) struct thread *td; register struct mkdir_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { return vn_mkdir(uap->path, uap->mode, UIO_USERSPACE, td); } int vn_mkdir(path, mode, segflg, td) char *path; int mode; enum uio_seg segflg; struct thread *td; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, segflg, path, td); nd.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp != NULL) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); /* * XXX namei called with LOCKPARENT but not LOCKLEAF has * the strange behaviour of leaving the vnode unlocked * if the target is the same vnode as the parent. */ if (vp == nd.ni_dvp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); vattr.va_type = VDIR; FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_MKDIR(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if (!error) vput(nd.ni_vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "mkdir"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "mkdir"); return (error); } /* * Remove a directory file. */ #ifndef _SYS_SYSPROTO_H_ struct rmdir_args { char *path; }; #endif /* ARGSUSED */ int rmdir(td, uap) struct thread *td; struct rmdir_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp->v_type != VDIR) { error = ENOTDIR; goto out; } /* * No rmdir "." please. */ if (nd.ni_dvp == vp) { error = EINVAL; goto out; } /* * The root of a mounted filesystem cannot be deleted. */ if (vp->v_vflag & VV_ROOT) { error = EBUSY; goto out; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_dvp == vp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); vput(vp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); error = VOP_RMDIR(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); vn_finished_write(mp); out: NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_dvp == vp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); vput(vp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "rmdir"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "rmdir"); return (error); } #ifdef COMPAT_43 /* * Read a block of directory entries in a filesystem independent format. */ #ifndef _SYS_SYSPROTO_H_ struct ogetdirentries_args { int fd; char *buf; u_int count; long *basep; }; #endif int ogetdirentries(td, uap) struct thread *td; register struct ogetdirentries_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; syscallarg(long *) basep; } */ *uap; { struct vnode *vp; struct file *fp; struct uio auio, kuio; struct iovec aiov, kiov; struct dirent *dp, *edp; caddr_t dirbuf; int error, eofflag, readcnt; long loff; /* XXX arbitrary sanity limit on `count'. */ if (SCARG(uap, count) > 64 * 1024) return (EINVAL); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); return (EBADF); } vp = (struct vnode *)fp->f_data; unionread: if (vp->v_type != VDIR) { fdrop(fp, td); return (EINVAL); } aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC error = mac_check_vnode_readdir(td->td_ucred, vp); if (error) { VOP_UNLOCK(vp, 0, td); fdrop(fp, td); return (error); } #endif # if (BYTE_ORDER != LITTLE_ENDIAN) if (vp->v_mount->mnt_maxsymlinklen <= 0) { error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = auio.uio_offset; } else # endif { kuio = auio; kuio.uio_iov = &kiov; kuio.uio_segflg = UIO_SYSSPACE; kiov.iov_len = SCARG(uap, count); MALLOC(dirbuf, caddr_t, SCARG(uap, count), M_TEMP, M_WAITOK); kiov.iov_base = dirbuf; error = VOP_READDIR(vp, &kuio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = kuio.uio_offset; if (error == 0) { readcnt = SCARG(uap, count) - kuio.uio_resid; edp = (struct dirent *)&dirbuf[readcnt]; for (dp = (struct dirent *)dirbuf; dp < edp; ) { # if (BYTE_ORDER == LITTLE_ENDIAN) /* * The expected low byte of * dp->d_namlen is our dp->d_type. * The high MBZ byte of dp->d_namlen * is our dp->d_namlen. */ dp->d_type = dp->d_namlen; dp->d_namlen = 0; # else /* * The dp->d_type is the high byte * of the expected dp->d_namlen, * so must be zero'ed. */ dp->d_type = 0; # endif if (dp->d_reclen > 0) { dp = (struct dirent *) ((char *)dp + dp->d_reclen); } else { error = EIO; break; } } if (dp >= edp) error = uiomove(dirbuf, readcnt, &auio); } FREE(dirbuf, M_TEMP); } VOP_UNLOCK(vp, 0, td); if (error) { fdrop(fp, td); return (error); } if (SCARG(uap, count) == auio.uio_resid) { if (union_dircheckp) { error = union_dircheckp(td, &vp, fp); if (error == -1) goto unionread; if (error) { fdrop(fp, td); return (error); } } mp_fixme("Accessing vflags w/o vn lock."); if ((vp->v_vflag & VV_ROOT) && (vp->v_mount->mnt_flag & MNT_UNION)) { struct vnode *tvp = vp; vp = vp->v_mount->mnt_vnodecovered; VREF(vp); fp->f_data = vp; fp->f_offset = 0; vrele(tvp); goto unionread; } } error = copyout(&loff, SCARG(uap, basep), sizeof(long)); fdrop(fp, td); td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; return (error); } #endif /* COMPAT_43 */ /* * Read a block of directory entries in a filesystem independent format. */ #ifndef _SYS_SYSPROTO_H_ struct getdirentries_args { int fd; char *buf; u_int count; long *basep; }; #endif int getdirentries(td, uap) struct thread *td; register struct getdirentries_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; syscallarg(long *) basep; } */ *uap; { struct vnode *vp; struct file *fp; struct uio auio; struct iovec aiov; long loff; int error, eofflag; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); return (EBADF); } vp = (struct vnode *)fp->f_data; unionread: if (vp->v_type != VDIR) { fdrop(fp, td); return (EINVAL); } aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); /* vn_lock(vp, LK_SHARED | LK_RETRY, td); */ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC error = mac_check_vnode_readdir(td->td_ucred, vp); if (error == 0) #endif error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = auio.uio_offset; VOP_UNLOCK(vp, 0, td); if (error) { fdrop(fp, td); return (error); } if (SCARG(uap, count) == auio.uio_resid) { if (union_dircheckp) { error = union_dircheckp(td, &vp, fp); if (error == -1) goto unionread; if (error) { fdrop(fp, td); return (error); } } mp_fixme("Accessing vflag without vn lock."); if ((vp->v_vflag & VV_ROOT) && (vp->v_mount->mnt_flag & MNT_UNION)) { struct vnode *tvp = vp; vp = vp->v_mount->mnt_vnodecovered; VREF(vp); fp->f_data = vp; fp->f_offset = 0; vrele(tvp); goto unionread; } } if (SCARG(uap, basep) != NULL) { error = copyout(&loff, SCARG(uap, basep), sizeof(long)); } td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; fdrop(fp, td); return (error); } #ifndef _SYS_SYSPROTO_H_ struct getdents_args { int fd; char *buf; size_t count; }; #endif int getdents(td, uap) struct thread *td; register struct getdents_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; } */ *uap; { struct getdirentries_args ap; ap.fd = uap->fd; ap.buf = uap->buf; ap.count = uap->count; ap.basep = NULL; return getdirentries(td, &ap); } /* * Set the mode mask for creation of filesystem nodes. * * MP SAFE */ #ifndef _SYS_SYSPROTO_H_ struct umask_args { int newmask; }; #endif int umask(td, uap) struct thread *td; struct umask_args /* { syscallarg(int) newmask; } */ *uap; { register struct filedesc *fdp; FILEDESC_LOCK(td->td_proc->p_fd); fdp = td->td_proc->p_fd; td->td_retval[0] = fdp->fd_cmask; fdp->fd_cmask = SCARG(uap, newmask) & ALLPERMS; FILEDESC_UNLOCK(td->td_proc->p_fd); return (0); } /* * Void all references to file by ripping underlying filesystem * away from vnode. */ #ifndef _SYS_SYSPROTO_H_ struct revoke_args { char *path; }; #endif /* ARGSUSED */ int revoke(td, uap) struct thread *td; register struct revoke_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; NDFREE(&nd, NDF_ONLY_PNBUF); if (vp->v_type != VCHR) { vput(vp); return (EINVAL); } #ifdef MAC error = mac_check_vnode_revoke(td->td_ucred, vp); if (error) { vput(vp); return (error); } #endif error = VOP_GETATTR(vp, &vattr, td->td_ucred, td); if (error) { vput(vp); return (error); } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) goto out; } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) goto out; if (vcount(vp) > 1) VOP_REVOKE(vp, REVOKEALL); vn_finished_write(mp); out: vrele(vp); return (error); } /* * Convert a user file descriptor to a kernel file entry. * The file entry is locked upon returning. */ int getvnode(fdp, fd, fpp) struct filedesc *fdp; int fd; struct file **fpp; { int error; struct file *fp; fp = NULL; if (fdp == NULL) error = EBADF; else { FILEDESC_LOCK(fdp); if ((u_int)fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[fd]) == NULL) error = EBADF; else if (fp->f_type != DTYPE_VNODE && fp->f_type != DTYPE_FIFO) { fp = NULL; error = EINVAL; } else { fhold(fp); error = 0; } FILEDESC_UNLOCK(fdp); } *fpp = fp; return (error); } /* * Get (NFS) file handle */ #ifndef _SYS_SYSPROTO_H_ struct getfh_args { char *fname; fhandle_t *fhp; }; #endif int getfh(td, uap) struct thread *td; register struct getfh_args *uap; { struct nameidata nd; fhandle_t fh; register struct vnode *vp; int error; /* * Must be super user */ error = suser(td); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td); error = namei(&nd); if (error) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; bzero(&fh, sizeof(fh)); fh.fh_fsid = vp->v_mount->mnt_stat.f_fsid; error = VFS_VPTOFH(vp, &fh.fh_fid); vput(vp); if (error) return (error); error = copyout(&fh, uap->fhp, sizeof (fh)); return (error); } /* * syscall for the rpc.lockd to use to translate a NFS file handle into * an open descriptor. * * warning: do not remove the suser() call or this becomes one giant * security hole. */ #ifndef _SYS_SYSPROTO_H_ struct fhopen_args { const struct fhandle *u_fhp; int flags; }; #endif int fhopen(td, uap) struct thread *td; struct fhopen_args /* { syscallarg(const struct fhandle *) u_fhp; syscallarg(int) flags; } */ *uap; { struct proc *p = td->td_proc; struct mount *mp; struct vnode *vp; struct fhandle fhp; struct vattr vat; struct vattr *vap = &vat; struct flock lf; struct file *fp; register struct filedesc *fdp = p->p_fd; int fmode, mode, error, type; struct file *nfp; int indx; /* * Must be super user */ error = suser(td); if (error) return (error); fmode = FFLAGS(SCARG(uap, flags)); /* why not allow a non-read/write open for our lockd? */ if (((fmode & (FREAD | FWRITE)) == 0) || (fmode & O_CREAT)) return (EINVAL); error = copyin(SCARG(uap,u_fhp), &fhp, sizeof(fhp)); if (error) return(error); /* find the mount point */ mp = vfs_getvfs(&fhp.fh_fsid); if (mp == NULL) return (ESTALE); /* now give me my vnode, it gets returned to me locked */ error = VFS_FHTOVP(mp, &fhp.fh_fid, &vp); if (error) return (error); /* * from now on we have to make sure not * to forget about the vnode * any error that causes an abort must vput(vp) * just set error = err and 'goto bad;'. */ /* * from vn_open */ if (vp->v_type == VLNK) { error = EMLINK; goto bad; } if (vp->v_type == VSOCK) { error = EOPNOTSUPP; goto bad; } mode = 0; if (fmode & (FWRITE | O_TRUNC)) { if (vp->v_type == VDIR) { error = EISDIR; goto bad; } error = vn_writechk(vp); if (error) goto bad; mode |= VWRITE; } if (fmode & FREAD) mode |= VREAD; if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC error = mac_check_vnode_open(td->td_ucred, vp, mode); if (error) goto bad; #endif if (mode) { error = VOP_ACCESS(vp, mode, td->td_ucred, td); if (error) goto bad; } if (fmode & O_TRUNC) { VOP_UNLOCK(vp, 0, td); /* XXX */ if ((error = vn_start_write(NULL, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); vap->va_size = 0; error = VOP_SETATTR(vp, vap, td->td_ucred, td); #ifdef MAC } #endif vn_finished_write(mp); if (error) goto bad; } error = VOP_OPEN(vp, fmode, td->td_ucred, td); if (error) goto bad; /* * Make sure that a VM object is created for VMIO support. */ if (vn_canvmio(vp) == TRUE) { if ((error = vfs_object_create(vp, td, td->td_ucred)) != 0) goto bad; } if (fmode & FWRITE) vp->v_writecount++; /* * end of vn_open code */ if ((error = falloc(td, &nfp, &indx)) != 0) { if (fmode & FWRITE) vp->v_writecount--; goto bad; } fp = nfp; /* * Hold an extra reference to avoid having fp ripped out * from under us while we block in the lock op */ fhold(fp); nfp->f_data = vp; nfp->f_flag = fmode & FMASK; nfp->f_ops = &vnops; nfp->f_type = DTYPE_VNODE; if (fmode & (O_EXLOCK | O_SHLOCK)) { lf.l_whence = SEEK_SET; lf.l_start = 0; lf.l_len = 0; if (fmode & O_EXLOCK) lf.l_type = F_WRLCK; else lf.l_type = F_RDLCK; type = F_FLOCK; if ((fmode & FNONBLOCK) == 0) type |= F_WAIT; VOP_UNLOCK(vp, 0, td); if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) { /* * The lock request failed. Normally close the * descriptor but handle the case where someone might * have dup()d or close()d it when we weren't looking. */ FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); /* * release our private reference */ fdrop(fp, td); return(error); } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); fp->f_flag |= FHASLOCK; } if ((vp->v_type == VREG) && (VOP_GETVOBJECT(vp, NULL) != 0)) vfs_object_create(vp, td, td->td_ucred); VOP_UNLOCK(vp, 0, td); fdrop(fp, td); td->td_retval[0] = indx; return (0); bad: vput(vp); return (error); } /* * Stat an (NFS) file handle. */ #ifndef _SYS_SYSPROTO_H_ struct fhstat_args { struct fhandle *u_fhp; struct stat *sb; }; #endif int fhstat(td, uap) struct thread *td; register struct fhstat_args /* { syscallarg(struct fhandle *) u_fhp; syscallarg(struct stat *) sb; } */ *uap; { struct stat sb; fhandle_t fh; struct mount *mp; struct vnode *vp; int error; /* * Must be super user */ error = suser(td); if (error) return (error); error = copyin(SCARG(uap, u_fhp), &fh, sizeof(fhandle_t)); if (error) return (error); if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL) return (ESTALE); if ((error = VFS_FHTOVP(mp, &fh.fh_fid, &vp))) return (error); error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); vput(vp); if (error) return (error); error = copyout(&sb, SCARG(uap, sb), sizeof(sb)); return (error); } /* * Implement fstatfs() for (NFS) file handles. */ #ifndef _SYS_SYSPROTO_H_ struct fhstatfs_args { struct fhandle *u_fhp; struct statfs *buf; }; #endif int fhstatfs(td, uap) struct thread *td; struct fhstatfs_args /* { syscallarg(struct fhandle) *u_fhp; syscallarg(struct statfs) *buf; } */ *uap; { struct statfs *sp; struct mount *mp; struct vnode *vp; struct statfs sb; fhandle_t fh; int error; /* * Must be super user */ error = suser(td); if (error) return (error); if ((error = copyin(SCARG(uap, u_fhp), &fh, sizeof(fhandle_t))) != 0) return (error); if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL) return (ESTALE); if ((error = VFS_FHTOVP(mp, &fh.fh_fid, &vp))) return (error); mp = vp->v_mount; sp = &mp->mnt_stat; vput(vp); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif if ((error = VFS_STATFS(mp, sp, td)) != 0) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Syscall to push extended attribute configuration information into the * VFS. Accepts a path, which it converts to a mountpoint, as well as * a command (int cmd), and attribute name and misc data. For now, the * attribute name is left in userspace for consumption by the VFS_op. * It will probably be changed to be copied into sysspace by the * syscall in the future, once issues with various consumers of the * attribute code have raised their hands. * * Currently this is used only by UFS Extended Attributes. */ int extattrctl(td, uap) struct thread *td; struct extattrctl_args /* { syscallarg(const char *) path; syscallarg(int) cmd; syscallarg(const char *) filename; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct vnode *filename_vp; struct nameidata nd; struct mount *mp, *mp_writable; char attrname[EXTATTR_MAXNAMELEN]; int error; /* * uap->attrname is not always defined. We check again later when we * invoke the VFS call so as to pass in NULL there if needed. */ if (uap->attrname != NULL) { error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); } /* * uap->filename is not always defined. If it is, grab a vnode lock, * which VFS_EXTATTRCTL() will later release. */ filename_vp = NULL; if (uap->filename != NULL) { NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->filename, td); if ((error = namei(&nd)) != 0) return (error); filename_vp = nd.ni_vp; NDFREE(&nd, NDF_NO_VP_RELE | NDF_NO_VP_UNLOCK); } /* uap->path is always defined. */ NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) { if (filename_vp != NULL) vput(filename_vp); return (error); } mp = nd.ni_vp->v_mount; error = vn_start_write(nd.ni_vp, &mp_writable, V_WAIT | PCATCH); NDFREE(&nd, 0); if (error) { if (filename_vp != NULL) vput(filename_vp); return (error); } error = VFS_EXTATTRCTL(mp, uap->cmd, filename_vp, uap->attrnamespace, uap->attrname != NULL ? attrname : NULL, td); vn_finished_write(mp_writable); /* * VFS_EXTATTRCTL will have unlocked, but not de-ref'd, * filename_vp, so vrele it if it is defined. */ if (filename_vp != NULL) vrele(filename_vp); return (error); } /*- * Set a named extended attribute on a file or directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", userspace buffer * pointer "data", buffer length "nbytes", thread "td". * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname, void *data, size_t nbytes, struct thread *td) { struct mount *mp; struct uio auio; struct iovec aiov; ssize_t cnt; int error; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); aiov.iov_base = data; aiov.iov_len = nbytes; auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_offset = 0; if (nbytes > INT_MAX) { error = EINVAL; goto done; } auio.uio_resid = nbytes; auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; cnt = nbytes; #ifdef MAC error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; #endif error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio, td->td_ucred, td); cnt -= auio.uio_resid; td->td_retval[0] = cnt; done: VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } int extattr_set_file(td, uap) struct thread *td; struct extattr_set_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_set_vp(nd.ni_vp, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); vrele(nd.ni_vp); return (error); } int extattr_set_fd(td, uap) struct thread *td; struct extattr_set_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct file *fp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); error = extattr_set_vp((struct vnode *)fp->f_data, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); fdrop(fp, td); return (error); } /*- * Get a named extended attribute on a file or directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", userspace buffer * pointer "data", buffer length "nbytes", thread "td". * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname, void *data, size_t nbytes, struct thread *td) { struct uio auio, *auiop; struct iovec aiov; ssize_t cnt; size_t size, *sizep; int error; VOP_LEASE(vp, td, td->td_ucred, LEASE_READ); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* * Slightly unusual semantics: if the user provides a NULL data * pointer, they don't want to receive the data, just the * maximum read length. */ auiop = NULL; sizep = NULL; cnt = 0; if (data != NULL) { aiov.iov_base = data; aiov.iov_len = nbytes; auio.uio_iov = &aiov; auio.uio_offset = 0; if (nbytes > INT_MAX) { error = EINVAL; goto done; } auio.uio_resid = nbytes; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auiop = &auio; cnt = nbytes; } else sizep = &size; #ifdef MAC error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; #endif error = VOP_GETEXTATTR(vp, attrnamespace, attrname, auiop, sizep, td->td_ucred, td); if (auiop != NULL) { cnt -= auio.uio_resid; td->td_retval[0] = cnt; } else td->td_retval[0] = size; done: VOP_UNLOCK(vp, 0, td); return (error); } int extattr_get_file(td, uap) struct thread *td; struct extattr_get_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_get_vp(nd.ni_vp, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); vrele(nd.ni_vp); return (error); } int extattr_get_fd(td, uap) struct thread *td; struct extattr_get_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct file *fp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); error = extattr_get_vp((struct vnode *)fp->f_data, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); fdrop(fp, td); return (error); } /* * extattr_delete_vp(): Delete a named extended attribute on a file or * directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", proc "p" * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, struct thread *td) { struct mount *mp; int error; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, attrname, NULL); #endif error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } int extattr_delete_file(td, uap) struct thread *td; struct extattr_delete_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return(error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return(error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_delete_vp(nd.ni_vp, uap->attrnamespace, attrname, td); vrele(nd.ni_vp); return(error); } int extattr_delete_fd(td, uap) struct thread *td; struct extattr_delete_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct file *fp; struct vnode *vp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = extattr_delete_vp(vp, uap->attrnamespace, attrname, td); fdrop(fp, td); return (error); } Index: head/sys/kern/vfs_syscalls.c =================================================================== --- head/sys/kern/vfs_syscalls.c (revision 102111) +++ head/sys/kern/vfs_syscalls.c (revision 102112) @@ -1,3966 +1,3962 @@ /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94 * $FreeBSD$ */ /* For 4.3 integer FS ID compatibility */ #include "opt_compat.h" #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static int change_dir(struct nameidata *ndp, struct thread *td); static int chroot_refuse_vdir_fds(struct filedesc *fdp); static int getutimes(const struct timeval *, struct timespec *); static int setfown(struct thread *td, struct vnode *, uid_t, gid_t); static int setfmode(struct thread *td, struct vnode *, int); static int setfflags(struct thread *td, struct vnode *, int); static int setutimes(struct thread *td, struct vnode *, const struct timespec *, int, int); static int vn_access(struct vnode *vp, int user_flags, struct ucred *cred, struct thread *td); int (*union_dircheckp)(struct thread *td, struct vnode **, struct file *); int (*softdep_fsync_hook)(struct vnode *); /* * Sync each mounted filesystem. */ #ifndef _SYS_SYSPROTO_H_ struct sync_args { int dummy; }; #endif #ifdef DEBUG static int syncprt = 0; SYSCTL_INT(_debug, OID_AUTO, syncprt, CTLFLAG_RW, &syncprt, 0, ""); #endif /* ARGSUSED */ int sync(td, uap) struct thread *td; struct sync_args *uap; { struct mount *mp, *nmp; int asyncflag; mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } if ((mp->mnt_flag & MNT_RDONLY) == 0 && vn_start_write(NULL, &mp, V_NOWAIT) == 0) { asyncflag = mp->mnt_flag & MNT_ASYNC; mp->mnt_flag &= ~MNT_ASYNC; vfs_msync(mp, MNT_NOWAIT); VFS_SYNC(mp, MNT_NOWAIT, ((td != NULL) ? td->td_ucred : NOCRED), td); mp->mnt_flag |= asyncflag; vn_finished_write(mp); } mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); } mtx_unlock(&mountlist_mtx); #if 0 /* * XXX don't call vfs_bufstats() yet because that routine * was not imported in the Lite2 merge. */ #ifdef DIAGNOSTIC if (syncprt) vfs_bufstats(); #endif /* DIAGNOSTIC */ #endif return (0); } /* XXX PRISON: could be per prison flag */ static int prison_quotas; #if 0 SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, ""); #endif /* * Change filesystem quotas. */ #ifndef _SYS_SYSPROTO_H_ struct quotactl_args { char *path; int cmd; int uid; caddr_t arg; }; #endif /* ARGSUSED */ int quotactl(td, uap) struct thread *td; register struct quotactl_args /* { syscallarg(char *) path; syscallarg(int) cmd; syscallarg(int) uid; syscallarg(caddr_t) arg; } */ *uap; { struct mount *mp; int error; struct nameidata nd; if (jailed(td->td_ucred) && !prison_quotas) return (EPERM); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); vrele(nd.ni_vp); if (error) return (error); error = VFS_QUOTACTL(mp, SCARG(uap, cmd), SCARG(uap, uid), SCARG(uap, arg), td); vn_finished_write(mp); return (error); } /* * Get filesystem statistics. */ #ifndef _SYS_SYSPROTO_H_ struct statfs_args { char *path; struct statfs *buf; }; #endif /* ARGSUSED */ int statfs(td, uap) struct thread *td; register struct statfs_args /* { syscallarg(char *) path; syscallarg(struct statfs *) buf; } */ *uap; { register struct mount *mp; register struct statfs *sp; int error; struct nameidata nd; struct statfs sb; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); mp = nd.ni_vp->v_mount; sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif error = VFS_STATFS(mp, sp, td); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Get filesystem statistics. */ #ifndef _SYS_SYSPROTO_H_ struct fstatfs_args { int fd; struct statfs *buf; }; #endif /* ARGSUSED */ int fstatfs(td, uap) struct thread *td; register struct fstatfs_args /* { syscallarg(int) fd; syscallarg(struct statfs *) buf; } */ *uap; { struct file *fp; struct mount *mp; register struct statfs *sp; int error; struct statfs sb; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); mp = ((struct vnode *)fp->f_data)->v_mount; fdrop(fp, td); if (mp == NULL) return (EBADF); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif sp = &mp->mnt_stat; error = VFS_STATFS(mp, sp, td); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Get statistics on all filesystems. */ #ifndef _SYS_SYSPROTO_H_ struct getfsstat_args { struct statfs *buf; long bufsize; int flags; }; #endif int getfsstat(td, uap) struct thread *td; register struct getfsstat_args /* { syscallarg(struct statfs *) buf; syscallarg(long) bufsize; syscallarg(int) flags; } */ *uap; { register struct mount *mp, *nmp; register struct statfs *sp; caddr_t sfsp; long count, maxcount, error; maxcount = SCARG(uap, bufsize) / sizeof(struct statfs); sfsp = (caddr_t)SCARG(uap, buf); count = 0; mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { #ifdef MAC if (mac_check_mount_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } #endif if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } if (sfsp && count < maxcount) { sp = &mp->mnt_stat; /* * If MNT_NOWAIT or MNT_LAZY is specified, do not * refresh the fsstat cache. MNT_NOWAIT or MNT_LAZY * overrides MNT_WAIT. */ if (((SCARG(uap, flags) & (MNT_LAZY|MNT_NOWAIT)) == 0 || (SCARG(uap, flags) & MNT_WAIT)) && (error = VFS_STATFS(mp, sp, td))) { mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); continue; } sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; error = copyout(sp, sfsp, sizeof(*sp)); if (error) { vfs_unbusy(mp, td); return (error); } sfsp += sizeof(*sp); } count++; mtx_lock(&mountlist_mtx); nmp = TAILQ_NEXT(mp, mnt_list); vfs_unbusy(mp, td); } mtx_unlock(&mountlist_mtx); if (sfsp && count > maxcount) td->td_retval[0] = maxcount; else td->td_retval[0] = count; return (0); } /* * Change current working directory to a given file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchdir_args { int fd; }; #endif /* ARGSUSED */ int fchdir(td, uap) struct thread *td; struct fchdir_args /* { syscallarg(int) fd; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; struct vnode *vp, *tdp, *vpold; struct mount *mp; struct file *fp; int error; if ((error = getvnode(fdp, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; VREF(vp); fdrop(fp, td); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); while (!error && (mp = vp->v_mountedhere) != NULL) { if (vfs_busy(mp, 0, 0, td)) continue; error = VFS_ROOT(mp, &tdp); vfs_unbusy(mp, td); if (error) break; vput(vp); vp = tdp; } if (error) { vput(vp); return (error); } VOP_UNLOCK(vp, 0, td); FILEDESC_LOCK(fdp); vpold = fdp->fd_cdir; fdp->fd_cdir = vp; FILEDESC_UNLOCK(fdp); vrele(vpold); return (0); } /* * Change current working directory (``.''). */ #ifndef _SYS_SYSPROTO_H_ struct chdir_args { char *path; }; #endif /* ARGSUSED */ int chdir(td, uap) struct thread *td; struct chdir_args /* { syscallarg(char *) path; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; int error; struct nameidata nd; struct vnode *vp; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = change_dir(&nd, td)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); FILEDESC_LOCK(fdp); vp = fdp->fd_cdir; fdp->fd_cdir = nd.ni_vp; FILEDESC_UNLOCK(fdp); vrele(vp); return (0); } /* * Helper function for raised chroot(2) security function: Refuse if * any filedescriptors are open directories. */ static int chroot_refuse_vdir_fds(fdp) struct filedesc *fdp; { struct vnode *vp; struct file *fp; int fd; FILEDESC_LOCK_ASSERT(fdp, MA_OWNED); for (fd = 0; fd < fdp->fd_nfiles ; fd++) { fp = fget_locked(fdp, fd); if (fp == NULL) continue; if (fp->f_type == DTYPE_VNODE) { vp = (struct vnode *)fp->f_data; if (vp->v_type == VDIR) return (EPERM); } } return (0); } /* * This sysctl determines if we will allow a process to chroot(2) if it * has a directory open: * 0: disallowed for all processes. * 1: allowed for processes that were not already chroot(2)'ed. * 2: allowed for all processes. */ static int chroot_allow_open_directories = 1; SYSCTL_INT(_kern, OID_AUTO, chroot_allow_open_directories, CTLFLAG_RW, &chroot_allow_open_directories, 0, ""); /* * Change notion of root (``/'') directory. */ #ifndef _SYS_SYSPROTO_H_ struct chroot_args { char *path; }; #endif /* ARGSUSED */ int chroot(td, uap) struct thread *td; struct chroot_args /* { syscallarg(char *) path; } */ *uap; { register struct filedesc *fdp = td->td_proc->p_fd; int error; struct nameidata nd; struct vnode *vp; error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); mtx_lock(&Giant); if ((error = change_dir(&nd, td)) != 0) goto error; #ifdef MAC if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) goto error; #endif FILEDESC_LOCK(fdp); if (chroot_allow_open_directories == 0 || (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) { error = chroot_refuse_vdir_fds(fdp); if (error) goto error_unlock; } vp = fdp->fd_rdir; fdp->fd_rdir = nd.ni_vp; if (!fdp->fd_jdir) { fdp->fd_jdir = nd.ni_vp; VREF(fdp->fd_jdir); } FILEDESC_UNLOCK(fdp); NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); mtx_unlock(&Giant); return (0); error_unlock: FILEDESC_UNLOCK(fdp); error: mtx_unlock(&Giant); NDFREE(&nd, 0); return (error); } /* * Common routine for chroot and chdir. */ static int change_dir(ndp, td) register struct nameidata *ndp; struct thread *td; { struct vnode *vp; int error; error = namei(ndp); if (error) return (error); vp = ndp->ni_vp; if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); if (error) vput(vp); else VOP_UNLOCK(vp, 0, td); return (error); } /* * Check permissions, allocate an open file structure, * and call the device open routine if any. */ #ifndef _SYS_SYSPROTO_H_ struct open_args { char *path; int flags; int mode; }; #endif int open(td, uap) struct thread *td; register struct open_args /* { syscallarg(char *) path; syscallarg(int) flags; syscallarg(int) mode; } */ *uap; { struct proc *p = td->td_proc; struct filedesc *fdp = p->p_fd; struct file *fp; struct vnode *vp; struct vattr vat; struct mount *mp; int cmode, flags, oflags; struct file *nfp; int type, indx, error; struct flock lf; struct nameidata nd; oflags = SCARG(uap, flags); if ((oflags & O_ACCMODE) == O_ACCMODE) return (EINVAL); flags = FFLAGS(oflags); error = falloc(td, &nfp, &indx); if (error) return (error); fp = nfp; FILEDESC_LOCK(fdp); cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; FILEDESC_UNLOCK(fdp); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); td->td_dupfd = -indx - 1; /* XXX check for fdopen */ /* * Bump the ref count to prevent another process from closing * the descriptor while we are blocked in vn_open() */ fhold(fp); error = vn_open(&nd, &flags, cmode); if (error) { /* * release our own reference */ fdrop(fp, td); /* * handle special fdopen() case. bleh. dupfdopen() is * responsible for dropping the old contents of ofiles[indx] * if it succeeds. */ if ((error == ENODEV || error == ENXIO) && td->td_dupfd >= 0 && /* XXX from fdopen */ (error = dupfdopen(td, fdp, indx, td->td_dupfd, flags, error)) == 0) { td->td_retval[0] = indx; return (0); } /* * Clean up the descriptor, but only if another thread hadn't * replaced or closed it. */ FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); if (error == ERESTART) error = EINTR; return (error); } td->td_dupfd = 0; NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; /* * There should be 2 references on the file, one from the descriptor * table, and one for us. * * Handle the case where someone closed the file (via its file * descriptor) while we were blocked. The end result should look * like opening the file succeeded but it was immediately closed. */ FILEDESC_LOCK(fdp); FILE_LOCK(fp); if (fp->f_count == 1) { KASSERT(fdp->fd_ofiles[indx] != fp, ("Open file descriptor lost all refs")); FILEDESC_UNLOCK(fdp); FILE_UNLOCK(fp); VOP_UNLOCK(vp, 0, td); vn_close(vp, flags & FMASK, fp->f_cred, td); fdrop(fp, td); td->td_retval[0] = indx; return 0; } /* assert that vn_open created a backing object if one is needed */ KASSERT(!vn_canvmio(vp) || VOP_GETVOBJECT(vp, NULL) == 0, ("open: vmio vnode has no backing object after vn_open")); fp->f_data = vp; fp->f_flag = flags & FMASK; fp->f_ops = &vnops; fp->f_type = (vp->v_type == VFIFO ? DTYPE_FIFO : DTYPE_VNODE); FILEDESC_UNLOCK(fdp); FILE_UNLOCK(fp); VOP_UNLOCK(vp, 0, td); if (flags & (O_EXLOCK | O_SHLOCK)) { lf.l_whence = SEEK_SET; lf.l_start = 0; lf.l_len = 0; if (flags & O_EXLOCK) lf.l_type = F_WRLCK; else lf.l_type = F_RDLCK; type = F_FLOCK; if ((flags & FNONBLOCK) == 0) type |= F_WAIT; if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) goto bad; fp->f_flag |= FHASLOCK; } if (flags & O_TRUNC) { if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) goto bad; VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); VATTR_NULL(&vat); vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); if (error) goto bad; } /* * Release our private reference, leaving the one associated with * the descriptor table intact. */ fdrop(fp, td); td->td_retval[0] = indx; return (0); bad: FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); return (error); } #ifdef COMPAT_43 /* * Create a file. */ #ifndef _SYS_SYSPROTO_H_ struct ocreat_args { char *path; int mode; }; #endif int ocreat(td, uap) struct thread *td; register struct ocreat_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { struct open_args /* { syscallarg(char *) path; syscallarg(int) flags; syscallarg(int) mode; } */ nuap; SCARG(&nuap, path) = SCARG(uap, path); SCARG(&nuap, mode) = SCARG(uap, mode); SCARG(&nuap, flags) = O_WRONLY | O_CREAT | O_TRUNC; return (open(td, &nuap)); } #endif /* COMPAT_43 */ /* * Create a special file. */ #ifndef _SYS_SYSPROTO_H_ struct mknod_args { char *path; int mode; int dev; }; #endif /* ARGSUSED */ int mknod(td, uap) struct thread *td; register struct mknod_args /* { syscallarg(char *) path; syscallarg(int) mode; syscallarg(int) dev; } */ *uap; { struct vnode *vp; struct mount *mp; struct vattr vattr; int error; int whiteout = 0; struct nameidata nd; switch (SCARG(uap, mode) & S_IFMT) { case S_IFCHR: case S_IFBLK: error = suser(td); break; default: error = suser_cred(td->td_ucred, PRISON_ROOT); break; } if (error) return (error); restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp != NULL) { vrele(vp); error = EEXIST; } else { VATTR_NULL(&vattr); FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (SCARG(uap, mode) & ALLPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); vattr.va_rdev = SCARG(uap, dev); whiteout = 0; switch (SCARG(uap, mode) & S_IFMT) { case S_IFMT: /* used by badsect to flag bad sectors */ vattr.va_type = VBAD; break; case S_IFCHR: vattr.va_type = VCHR; break; case S_IFBLK: vattr.va_type = VBLK; break; case S_IFWHT: whiteout = 1; break; default: error = EINVAL; break; } } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } if (!error) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); if (whiteout) error = VOP_WHITEOUT(nd.ni_dvp, &nd.ni_cnd, CREATE); else { error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); if (error == 0) vput(nd.ni_vp); } } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "mknod"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "mknod"); return (error); } /* * Create a named pipe. */ #ifndef _SYS_SYSPROTO_H_ struct mkfifo_args { char *path; int mode; }; #endif /* ARGSUSED */ int mkfifo(td, uap) struct thread *td; register struct mkfifo_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { struct mount *mp; struct vattr vattr; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); if (nd.ni_vp != NULL) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); vattr.va_type = VFIFO; FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (SCARG(uap, mode) & ALLPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); if (error == 0) vput(nd.ni_vp); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); return (error); } /* * Make a hard file link. */ #ifndef _SYS_SYSPROTO_H_ struct link_args { char *path; char *link; }; #endif /* ARGSUSED */ int link(td, uap) struct thread *td; register struct link_args /* { syscallarg(char *) path; syscallarg(char *) link; } */ *uap; { struct vnode *vp; struct mount *mp; struct nameidata nd; int error; bwillwrite(); NDINIT(&nd, LOOKUP, FOLLOW|NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; if (vp->v_type == VDIR) { vrele(vp); return (EPERM); /* POSIX */ } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } NDINIT(&nd, CREATE, LOCKPARENT | NOOBJ | SAVENAME, UIO_USERSPACE, SCARG(uap, link), td); if ((error = namei(&nd)) == 0) { if (nd.ni_vp != NULL) { vrele(nd.ni_vp); error = EEXIST; } else { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); } vrele(vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "link"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "link"); return (error); } /* * Make a symbolic link. */ #ifndef _SYS_SYSPROTO_H_ struct symlink_args { char *path; char *link; }; #endif /* ARGSUSED */ int symlink(td, uap) struct thread *td; register struct symlink_args /* { syscallarg(char *) path; syscallarg(char *) link; } */ *uap; { struct mount *mp; struct vattr vattr; char *path; int error; struct nameidata nd; path = uma_zalloc(namei_zone, M_WAITOK); if ((error = copyinstr(SCARG(uap, path), path, MAXPATHLEN, NULL)) != 0) goto out; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | NOOBJ | SAVENAME, UIO_USERSPACE, SCARG(uap, link), td); if ((error = namei(&nd)) != 0) goto out; if (nd.ni_vp) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); vput(nd.ni_dvp); error = EEXIST; goto out; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = ACCESSPERMS &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_SYMLINK(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr, path); NDFREE(&nd, NDF_ONLY_PNBUF); if (error == 0) vput(nd.ni_vp); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "symlink"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "symlink"); out: uma_zfree(namei_zone, path); return (error); } /* * Delete a whiteout from the filesystem. */ /* ARGSUSED */ int undelete(td, uap) struct thread *td; register struct undelete_args /* { syscallarg(char *) path; } */ *uap; { int error; struct mount *mp; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT|DOWHITEOUT, UIO_USERSPACE, SCARG(uap, path), td); error = namei(&nd); if (error) return (error); if (nd.ni_vp != NULLVP || !(nd.ni_cnd.cn_flags & ISWHITEOUT)) { NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_vp) vrele(nd.ni_vp); vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_WHITEOUT(nd.ni_dvp, &nd.ni_cnd, DELETE); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "undelete"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "undelete"); return (error); } /* * Delete a name from the filesystem. */ #ifndef _SYS_SYSPROTO_H_ struct unlink_args { char *path; }; #endif /* ARGSUSED */ int unlink(td, uap) struct thread *td; struct unlink_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp->v_type == VDIR) error = EPERM; /* POSIX */ else { /* * The root of a mounted filesystem cannot be deleted. * * XXX: can this only be a VDIR case? */ mp_fixme("Accessing vflags w/o the vn lock."); if (vp->v_vflag & VV_ROOT) error = EBUSY; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (!error) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_REMOVE(nd.ni_dvp, vp, &nd.ni_cnd); } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); vput(vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "unlink"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "unlink"); return (error); } /* * Reposition read/write file offset. */ #ifndef _SYS_SYSPROTO_H_ struct lseek_args { int fd; int pad; off_t offset; int whence; }; #endif int lseek(td, uap) struct thread *td; register struct lseek_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) offset; syscallarg(int) whence; } */ *uap; { struct ucred *cred = td->td_ucred; struct file *fp; struct vnode *vp; struct vattr vattr; off_t offset; int error, noneg; if ((error = fget(td, uap->fd, &fp)) != 0) return (error); if (fp->f_type != DTYPE_VNODE) { fdrop(fp, td); return (ESPIPE); } vp = (struct vnode *)fp->f_data; noneg = (vp->v_type != VCHR); offset = SCARG(uap, offset); switch (SCARG(uap, whence)) { case L_INCR: if (noneg && (fp->f_offset < 0 || (offset > 0 && fp->f_offset > OFF_MAX - offset))) return (EOVERFLOW); offset += fp->f_offset; break; case L_XTND: vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = VOP_GETATTR(vp, &vattr, cred, td); VOP_UNLOCK(vp, 0, td); if (error) return (error); if (noneg && (vattr.va_size > OFF_MAX || (offset > 0 && vattr.va_size > OFF_MAX - offset))) return (EOVERFLOW); offset += vattr.va_size; break; case L_SET: break; default: fdrop(fp, td); return (EINVAL); } if (noneg && offset < 0) return (EINVAL); fp->f_offset = offset; *(off_t *)(td->td_retval) = fp->f_offset; fdrop(fp, td); return (0); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Reposition read/write file offset. */ #ifndef _SYS_SYSPROTO_H_ struct olseek_args { int fd; long offset; int whence; }; #endif int olseek(td, uap) struct thread *td; register struct olseek_args /* { syscallarg(int) fd; syscallarg(long) offset; syscallarg(int) whence; } */ *uap; { struct lseek_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) offset; syscallarg(int) whence; } */ nuap; int error; SCARG(&nuap, fd) = SCARG(uap, fd); SCARG(&nuap, offset) = SCARG(uap, offset); SCARG(&nuap, whence) = SCARG(uap, whence); error = lseek(td, &nuap); return (error); } #endif /* COMPAT_43 */ /* * Check access permissions using passed credentials. */ static int vn_access(vp, user_flags, cred, td) struct vnode *vp; int user_flags; struct ucred *cred; struct thread *td; { int error, flags; /* Flags == 0 means only check for existence. */ error = 0; if (user_flags) { flags = 0; if (user_flags & R_OK) flags |= VREAD; if (user_flags & W_OK) flags |= VWRITE; if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC error = mac_check_vnode_access(cred, vp, flags); if (error) return (error); #endif if ((flags & VWRITE) == 0 || (error = vn_writechk(vp)) == 0) error = VOP_ACCESS(vp, flags, cred, td); } return (error); } /* * Check access permissions using "real" credentials. */ #ifndef _SYS_SYSPROTO_H_ struct access_args { char *path; int flags; }; #endif int access(td, uap) struct thread *td; register struct access_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { struct ucred *cred, *tmpcred; register struct vnode *vp; int error; struct nameidata nd; /* * Create and modify a temporary credential instead of one that * is potentially shared. This could also mess up socket * buffer accounting which can run in an interrupt context. * * XXX - Depending on how "threads" are finally implemented, it * may be better to explicitly pass the credential to namei() * rather than to modify the potentially shared process structure. */ cred = td->td_ucred; tmpcred = crdup(cred); tmpcred->cr_uid = cred->cr_ruid; tmpcred->cr_groups[0] = cred->cr_rgid; td->td_ucred = tmpcred; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) goto out1; vp = nd.ni_vp; error = vn_access(vp, SCARG(uap, flags), tmpcred, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); out1: td->td_ucred = cred; crfree(tmpcred); return (error); } /* * Check access permissions using "effective" credentials. */ #ifndef _SYS_SYSPROTO_H_ struct eaccess_args { char *path; int flags; }; #endif int eaccess(td, uap) struct thread *td; register struct eaccess_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { struct nameidata nd; struct vnode *vp; int error; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_access(vp, SCARG(uap, flags), td->td_ucred, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); return (error); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Get file status; this version follows links. */ #ifndef _SYS_SYSPROTO_H_ struct ostat_args { char *path; struct ostat *ub; }; #endif /* ARGSUSED */ int ostat(td, uap) struct thread *td; register struct ostat_args /* { syscallarg(char *) path; syscallarg(struct ostat *) ub; } */ *uap; { struct stat sb; struct ostat osb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); vput(nd.ni_vp); if (error) return (error); cvtstat(&sb, &osb); error = copyout(&osb, SCARG(uap, ub), sizeof (osb)); return (error); } /* * Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct olstat_args { char *path; struct ostat *ub; }; #endif /* ARGSUSED */ int olstat(td, uap) struct thread *td; register struct olstat_args /* { syscallarg(char *) path; syscallarg(struct ostat *) ub; } */ *uap; { struct vnode *vp; struct stat sb; struct ostat osb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); if (error) return (error); cvtstat(&sb, &osb); error = copyout(&osb, SCARG(uap, ub), sizeof (osb)); return (error); } /* * Convert from an old to a new stat structure. */ void cvtstat(st, ost) struct stat *st; struct ostat *ost; { ost->st_dev = st->st_dev; ost->st_ino = st->st_ino; ost->st_mode = st->st_mode; ost->st_nlink = st->st_nlink; ost->st_uid = st->st_uid; ost->st_gid = st->st_gid; ost->st_rdev = st->st_rdev; if (st->st_size < (quad_t)1 << 32) ost->st_size = st->st_size; else ost->st_size = -2; ost->st_atime = st->st_atime; ost->st_mtime = st->st_mtime; ost->st_ctime = st->st_ctime; ost->st_blksize = st->st_blksize; ost->st_blocks = st->st_blocks; ost->st_flags = st->st_flags; ost->st_gen = st->st_gen; } #endif /* COMPAT_43 || COMPAT_SUNOS */ /* * Get file status; this version follows links. */ #ifndef _SYS_SYSPROTO_H_ struct stat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int stat(td, uap) struct thread *td; register struct stat_args /* { syscallarg(char *) path; syscallarg(struct stat *) ub; } */ *uap; { struct stat sb; int error; struct nameidata nd; #ifdef LOOKUP_SHARED NDINIT(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); #else NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); #endif if ((error = namei(&nd)) != 0) return (error); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_vp); if (error) return (error); error = copyout(&sb, SCARG(uap, ub), sizeof (sb)); return (error); } /* * Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct lstat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int lstat(td, uap) struct thread *td; register struct lstat_args /* { syscallarg(char *) path; syscallarg(struct stat *) ub; } */ *uap; { int error; struct vnode *vp; struct stat sb; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); NDFREE(&nd, NDF_ONLY_PNBUF); vput(vp); if (error) return (error); error = copyout(&sb, SCARG(uap, ub), sizeof (sb)); return (error); } /* * Implementation of the NetBSD stat() function. * XXX This should probably be collapsed with the FreeBSD version, * as the differences are only due to vn_stat() clearing spares at * the end of the structures. vn_stat could be split to avoid this, * and thus collapse the following to close to zero code. */ void cvtnstat(sb, nsb) struct stat *sb; struct nstat *nsb; { bzero(nsb, sizeof *nsb); nsb->st_dev = sb->st_dev; nsb->st_ino = sb->st_ino; nsb->st_mode = sb->st_mode; nsb->st_nlink = sb->st_nlink; nsb->st_uid = sb->st_uid; nsb->st_gid = sb->st_gid; nsb->st_rdev = sb->st_rdev; nsb->st_atimespec = sb->st_atimespec; nsb->st_mtimespec = sb->st_mtimespec; nsb->st_ctimespec = sb->st_ctimespec; nsb->st_size = sb->st_size; nsb->st_blocks = sb->st_blocks; nsb->st_blksize = sb->st_blksize; nsb->st_flags = sb->st_flags; nsb->st_gen = sb->st_gen; nsb->st_birthtimespec = sb->st_birthtimespec; } #ifndef _SYS_SYSPROTO_H_ struct nstat_args { char *path; struct nstat *ub; }; #endif /* ARGSUSED */ int nstat(td, uap) struct thread *td; register struct nstat_args /* { syscallarg(char *) path; syscallarg(struct nstat *) ub; } */ *uap; { struct stat sb; struct nstat nsb; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(nd.ni_vp, &sb, td->td_ucred, NOCRED, td); vput(nd.ni_vp); if (error) return (error); cvtnstat(&sb, &nsb); error = copyout(&nsb, SCARG(uap, ub), sizeof (nsb)); return (error); } /* * NetBSD lstat. Get file status; this version does not follow links. */ #ifndef _SYS_SYSPROTO_H_ struct lstat_args { char *path; struct stat *ub; }; #endif /* ARGSUSED */ int nlstat(td, uap) struct thread *td; register struct nlstat_args /* { syscallarg(char *) path; syscallarg(struct nstat *) ub; } */ *uap; { int error; struct vnode *vp; struct stat sb; struct nstat nsb; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; NDFREE(&nd, NDF_ONLY_PNBUF); error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); vput(vp); if (error) return (error); cvtnstat(&sb, &nsb); error = copyout(&nsb, SCARG(uap, ub), sizeof (nsb)); return (error); } /* * Get configurable pathname variables. */ #ifndef _SYS_SYSPROTO_H_ struct pathconf_args { char *path; int name; }; #endif /* ARGSUSED */ int pathconf(td, uap) struct thread *td; register struct pathconf_args /* { syscallarg(char *) path; syscallarg(int) name; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = VOP_PATHCONF(nd.ni_vp, SCARG(uap, name), td->td_retval); vput(nd.ni_vp); return (error); } /* * Return target name of a symbolic link. */ #ifndef _SYS_SYSPROTO_H_ struct readlink_args { char *path; char *buf; int count; }; #endif /* ARGSUSED */ int readlink(td, uap) struct thread *td; register struct readlink_args /* { syscallarg(char *) path; syscallarg(char *) buf; syscallarg(int) count; } */ *uap; { register struct vnode *vp; struct iovec aiov; struct uio auio; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | NOOBJ, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; #ifdef MAC error = mac_check_vnode_readlink(td->td_ucred, vp); if (error) { vput(vp); return (error); } #endif if (vp->v_type != VLNK) error = EINVAL; else { aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_offset = 0; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); error = VOP_READLINK(vp, &auio, td->td_ucred); } vput(vp); td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; return (error); } /* * Common implementation code for chflags() and fchflags(). */ static int setfflags(td, vp, flags) struct thread *td; struct vnode *vp; int flags; { int error; struct mount *mp; struct vattr vattr; /* * Prevent non-root users from setting flags on devices. When * a device is reused, users can retain ownership of the device * if they are allowed to set flags and programs assume that * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) return (error); } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); if (error == 0) { #endif VATTR_NULL(&vattr); vattr.va_flags = flags; error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); #ifdef MAC } #endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } /* * Change flags of a file given a path name. */ #ifndef _SYS_SYSPROTO_H_ struct chflags_args { char *path; int flags; }; #endif /* ARGSUSED */ int chflags(td, uap) struct thread *td; register struct chflags_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfflags(td, nd.ni_vp, SCARG(uap, flags)); vrele(nd.ni_vp); return error; } /* * Same as chflags() but doesn't follow symlinks. */ int lchflags(td, uap) struct thread *td; register struct lchflags_args /* { syscallarg(char *) path; syscallarg(int) flags; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfflags(td, nd.ni_vp, SCARG(uap, flags)); vrele(nd.ni_vp); return error; } /* * Change flags of a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchflags_args { int fd; int flags; }; #endif /* ARGSUSED */ int fchflags(td, uap) struct thread *td; register struct fchflags_args /* { syscallarg(int) fd; syscallarg(int) flags; } */ *uap; { struct file *fp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); error = setfflags(td, (struct vnode *) fp->f_data, SCARG(uap, flags)); fdrop(fp, td); return (error); } /* * Common implementation code for chmod(), lchmod() and fchmod(). */ static int setfmode(td, vp, mode) struct thread *td; struct vnode *vp; int mode; { int error; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Change mode of a file given path name. */ #ifndef _SYS_SYSPROTO_H_ struct chmod_args { char *path; int mode; }; #endif /* ARGSUSED */ int chmod(td, uap) struct thread *td; register struct chmod_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfmode(td, nd.ni_vp, SCARG(uap, mode)); vrele(nd.ni_vp); return error; } /* * Change mode of a file given path name (don't follow links.) */ #ifndef _SYS_SYSPROTO_H_ struct lchmod_args { char *path; int mode; }; #endif /* ARGSUSED */ int lchmod(td, uap) struct thread *td; register struct lchmod_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfmode(td, nd.ni_vp, SCARG(uap, mode)); vrele(nd.ni_vp); return error; } /* * Change mode of a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchmod_args { int fd; int mode; }; #endif /* ARGSUSED */ int fchmod(td, uap) struct thread *td; register struct fchmod_args /* { syscallarg(int) fd; syscallarg(int) mode; } */ *uap; { struct file *fp; struct vnode *vp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = setfmode(td, (struct vnode *)fp->f_data, SCARG(uap, mode)); fdrop(fp, td); return (error); } /* * Common implementation for chown(), lchown(), and fchown() */ static int setfown(td, vp, uid, gid) struct thread *td; struct vnode *vp; uid_t uid; gid_t gid; { int error; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); VATTR_NULL(&vattr); vattr.va_uid = uid; vattr.va_gid = gid; #ifdef MAC error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid, vattr.va_gid); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Set ownership given a path name. */ #ifndef _SYS_SYSPROTO_H_ struct chown_args { char *path; int uid; int gid; }; #endif /* ARGSUSED */ int chown(td, uap) struct thread *td; register struct chown_args /* { syscallarg(char *) path; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfown(td, nd.ni_vp, SCARG(uap, uid), SCARG(uap, gid)); vrele(nd.ni_vp); return (error); } /* * Set ownership given a path name, do not cross symlinks. */ #ifndef _SYS_SYSPROTO_H_ struct lchown_args { char *path; int uid; int gid; }; #endif /* ARGSUSED */ int lchown(td, uap) struct thread *td; register struct lchown_args /* { syscallarg(char *) path; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { int error; struct nameidata nd; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setfown(td, nd.ni_vp, SCARG(uap, uid), SCARG(uap, gid)); vrele(nd.ni_vp); return (error); } /* * Set ownership given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct fchown_args { int fd; int uid; int gid; }; #endif /* ARGSUSED */ int fchown(td, uap) struct thread *td; register struct fchown_args /* { syscallarg(int) fd; syscallarg(int) uid; syscallarg(int) gid; } */ *uap; { struct file *fp; struct vnode *vp; int error; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = setfown(td, (struct vnode *)fp->f_data, SCARG(uap, uid), SCARG(uap, gid)); fdrop(fp, td); return (error); } /* * Common implementation code for utimes(), lutimes(), and futimes(). */ static int getutimes(usrtvp, tsp) const struct timeval *usrtvp; struct timespec *tsp; { struct timeval tv[2]; int error; if (usrtvp == NULL) { microtime(&tv[0]); TIMEVAL_TO_TIMESPEC(&tv[0], &tsp[0]); tsp[1] = tsp[0]; } else { if ((error = copyin(usrtvp, tv, sizeof (tv))) != 0) return (error); TIMEVAL_TO_TIMESPEC(&tv[0], &tsp[0]); TIMEVAL_TO_TIMESPEC(&tv[1], &tsp[1]); } return 0; } /* * Common implementation code for utimes(), lutimes(), and futimes(). */ static int setutimes(td, vp, ts, numtimes, nullflag) struct thread *td; struct vnode *vp; const struct timespec *ts; int numtimes; int nullflag; { int error, setbirthtime; struct mount *mp; struct vattr vattr; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); setbirthtime = 0; if (numtimes < 3 && VOP_GETATTR(vp, &vattr, td->td_ucred, td) == 0 && timespeccmp(&ts[1], &vattr.va_birthtime, < )) setbirthtime = 1; VATTR_NULL(&vattr); vattr.va_atime = ts[0]; vattr.va_mtime = ts[1]; if (setbirthtime) vattr.va_birthtime = ts[1]; if (numtimes > 2) vattr.va_birthtime = ts[2]; if (nullflag) vattr.va_vaflags |= VA_UTIMES_NULL; #ifdef MAC error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime, vattr.va_mtime); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return error; } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct utimes_args { char *path; struct timeval *tptr; }; #endif /* ARGSUSED */ int utimes(td, uap) struct thread *td; register struct utimes_args /* { syscallarg(char *) path; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct timeval *usrtvp; int error; struct nameidata nd; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setutimes(td, nd.ni_vp, ts, 2, usrtvp == NULL); vrele(nd.ni_vp); return (error); } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct lutimes_args { char *path; struct timeval *tptr; }; #endif /* ARGSUSED */ int lutimes(td, uap) struct thread *td; register struct lutimes_args /* { syscallarg(char *) path; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct timeval *usrtvp; int error; struct nameidata nd; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = setutimes(td, nd.ni_vp, ts, 2, usrtvp == NULL); vrele(nd.ni_vp); return (error); } /* * Set the access and modification times of a file. */ #ifndef _SYS_SYSPROTO_H_ struct futimes_args { int fd; struct timeval *tptr; }; #endif /* ARGSUSED */ int futimes(td, uap) struct thread *td; register struct futimes_args /* { syscallarg(int ) fd; syscallarg(struct timeval *) tptr; } */ *uap; { struct timespec ts[2]; struct file *fp; struct timeval *usrtvp; int error; usrtvp = SCARG(uap, tptr); if ((error = getutimes(usrtvp, ts)) != 0) return (error); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); error = setutimes(td, (struct vnode *)fp->f_data, ts, 2, usrtvp==NULL); fdrop(fp, td); return (error); } /* * Truncate a file given its path name. */ #ifndef _SYS_SYSPROTO_H_ struct truncate_args { char *path; int pad; off_t length; }; #endif /* ARGSUSED */ int truncate(td, uap) struct thread *td; register struct truncate_args /* { syscallarg(char *) path; syscallarg(int) pad; syscallarg(off_t) length; } */ *uap; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; if (uap->length < 0) return(EINVAL); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } NDFREE(&nd, NDF_ONLY_PNBUF); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { VATTR_NULL(&vattr); vattr.va_size = SCARG(uap, length); error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); } vput(vp); vn_finished_write(mp); return (error); } /* * Truncate a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct ftruncate_args { int fd; int pad; off_t length; }; #endif /* ARGSUSED */ int ftruncate(td, uap) struct thread *td; register struct ftruncate_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) length; } */ *uap; { struct mount *mp; struct vattr vattr; struct vnode *vp; struct file *fp; int error; if (uap->length < 0) return(EINVAL); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FWRITE) == 0) { fdrop(fp, td); return (EINVAL); } vp = (struct vnode *)fp->f_data; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { fdrop(fp, td); return (error); } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); vattr.va_size = SCARG(uap, length); error = VOP_SETATTR(vp, &vattr, fp->f_cred, td); } VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); fdrop(fp, td); return (error); } #if defined(COMPAT_43) || defined(COMPAT_SUNOS) /* * Truncate a file given its path name. */ #ifndef _SYS_SYSPROTO_H_ struct otruncate_args { char *path; long length; }; #endif /* ARGSUSED */ int otruncate(td, uap) struct thread *td; register struct otruncate_args /* { syscallarg(char *) path; syscallarg(long) length; } */ *uap; { struct truncate_args /* { syscallarg(char *) path; syscallarg(int) pad; syscallarg(off_t) length; } */ nuap; SCARG(&nuap, path) = SCARG(uap, path); SCARG(&nuap, length) = SCARG(uap, length); return (truncate(td, &nuap)); } /* * Truncate a file given a file descriptor. */ #ifndef _SYS_SYSPROTO_H_ struct oftruncate_args { int fd; long length; }; #endif /* ARGSUSED */ int oftruncate(td, uap) struct thread *td; register struct oftruncate_args /* { syscallarg(int) fd; syscallarg(long) length; } */ *uap; { struct ftruncate_args /* { syscallarg(int) fd; syscallarg(int) pad; syscallarg(off_t) length; } */ nuap; SCARG(&nuap, fd) = SCARG(uap, fd); SCARG(&nuap, length) = SCARG(uap, length); return (ftruncate(td, &nuap)); } #endif /* COMPAT_43 || COMPAT_SUNOS */ /* * Sync an open file. */ #ifndef _SYS_SYSPROTO_H_ struct fsync_args { int fd; }; #endif /* ARGSUSED */ int fsync(td, uap) struct thread *td; struct fsync_args /* { syscallarg(int) fd; } */ *uap; { struct vnode *vp; struct mount *mp; struct file *fp; vm_object_t obj; int error; GIANT_REQUIRED; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { fdrop(fp, td); return (error); } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (VOP_GETVOBJECT(vp, &obj) == 0) { vm_object_page_clean(obj, 0, 0, 0); } error = VOP_FSYNC(vp, fp->f_cred, MNT_WAIT, td); if (error == 0 && vp->v_mount && (vp->v_mount->mnt_flag & MNT_SOFTDEP) && softdep_fsync_hook != NULL) error = (*softdep_fsync_hook)(vp); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); fdrop(fp, td); return (error); } /* * Rename files. Source and destination must either both be directories, * or both not be directories. If target is a directory, it must be empty. */ #ifndef _SYS_SYSPROTO_H_ struct rename_args { char *from; char *to; }; #endif /* ARGSUSED */ int rename(td, uap) struct thread *td; register struct rename_args /* { syscallarg(char *) from; syscallarg(char *) to; } */ *uap; { struct mount *mp; struct vnode *tvp, *fvp, *tdvp; struct nameidata fromnd, tond; int error; bwillwrite(); NDINIT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE, SCARG(uap, from), td); if ((error = namei(&fromnd)) != 0) return (error); fvp = fromnd.ni_vp; if ((error = vn_start_write(fvp, &mp, V_WAIT | PCATCH)) != 0) { NDFREE(&fromnd, NDF_ONLY_PNBUF); vrele(fromnd.ni_dvp); vrele(fvp); goto out1; } NDINIT(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | SAVESTART | NOOBJ, UIO_USERSPACE, SCARG(uap, to), td); if (fromnd.ni_vp->v_type == VDIR) tond.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&tond)) != 0) { /* Translate error code for rename("dir1", "dir2/."). */ if (error == EISDIR && fvp->v_type == VDIR) error = EINVAL; NDFREE(&fromnd, NDF_ONLY_PNBUF); vrele(fromnd.ni_dvp); vrele(fvp); goto out1; } tdvp = tond.ni_dvp; tvp = tond.ni_vp; if (tvp != NULL) { if (fvp->v_type == VDIR && tvp->v_type != VDIR) { error = ENOTDIR; goto out; } else if (fvp->v_type != VDIR && tvp->v_type == VDIR) { error = EISDIR; goto out; } } if (fvp == tdvp) error = EINVAL; /* * If source is the same as the destination (that is the * same inode number with the same name in the same directory), * then there is nothing to do. */ if (fvp == tvp && fromnd.ni_dvp == tdvp && fromnd.ni_cnd.cn_namelen == tond.ni_cnd.cn_namelen && !bcmp(fromnd.ni_cnd.cn_nameptr, tond.ni_cnd.cn_nameptr, fromnd.ni_cnd.cn_namelen)) error = -1; out: if (!error) { VOP_LEASE(tdvp, td, td->td_ucred, LEASE_WRITE); if (fromnd.ni_dvp != tdvp) { VOP_LEASE(fromnd.ni_dvp, td, td->td_ucred, LEASE_WRITE); } if (tvp) { VOP_LEASE(tvp, td, td->td_ucred, LEASE_WRITE); } error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd, tond.ni_dvp, tond.ni_vp, &tond.ni_cnd); NDFREE(&fromnd, NDF_ONLY_PNBUF); NDFREE(&tond, NDF_ONLY_PNBUF); } else { NDFREE(&fromnd, NDF_ONLY_PNBUF); NDFREE(&tond, NDF_ONLY_PNBUF); if (tdvp == tvp) vrele(tdvp); else vput(tdvp); if (tvp) vput(tvp); vrele(fromnd.ni_dvp); vrele(fvp); } vrele(tond.ni_startdir); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(fromnd.ni_dvp, "rename"); ASSERT_VOP_UNLOCKED(fromnd.ni_vp, "rename"); ASSERT_VOP_UNLOCKED(tond.ni_dvp, "rename"); ASSERT_VOP_UNLOCKED(tond.ni_vp, "rename"); out1: if (fromnd.ni_startdir) vrele(fromnd.ni_startdir); if (error == -1) return (0); return (error); } /* * Make a directory file. */ #ifndef _SYS_SYSPROTO_H_ struct mkdir_args { char *path; int mode; }; #endif /* ARGSUSED */ int mkdir(td, uap) struct thread *td; register struct mkdir_args /* { syscallarg(char *) path; syscallarg(int) mode; } */ *uap; { return vn_mkdir(uap->path, uap->mode, UIO_USERSPACE, td); } int vn_mkdir(path, mode, segflg, td) char *path; int mode; enum uio_seg segflg; struct thread *td; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, CREATE, LOCKPARENT | SAVENAME, segflg, path, td); nd.ni_cnd.cn_flags |= WILLBEDIR; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp != NULL) { NDFREE(&nd, NDF_ONLY_PNBUF); vrele(vp); /* * XXX namei called with LOCKPARENT but not LOCKLEAF has * the strange behaviour of leaving the vnode unlocked * if the target is the same vnode as the parent. */ if (vp == nd.ni_dvp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); return (EEXIST); } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VATTR_NULL(&vattr); vattr.va_type = VDIR; FILEDESC_LOCK(td->td_proc->p_fd); vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); error = VOP_MKDIR(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); if (!error) vput(nd.ni_vp); vn_finished_write(mp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "mkdir"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "mkdir"); return (error); } /* * Remove a directory file. */ #ifndef _SYS_SYSPROTO_H_ struct rmdir_args { char *path; }; #endif /* ARGSUSED */ int rmdir(td, uap) struct thread *td; struct rmdir_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; int error; struct nameidata nd; restart: bwillwrite(); NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; if (vp->v_type != VDIR) { error = ENOTDIR; goto out; } /* * No rmdir "." please. */ if (nd.ni_dvp == vp) { error = EINVAL; goto out; } /* * The root of a mounted filesystem cannot be deleted. */ if (vp->v_vflag & VV_ROOT) { error = EBUSY; goto out; } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_dvp == vp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); vput(vp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); error = VOP_RMDIR(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); vn_finished_write(mp); out: NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_dvp == vp) vrele(nd.ni_dvp); else vput(nd.ni_dvp); vput(vp); ASSERT_VOP_UNLOCKED(nd.ni_dvp, "rmdir"); ASSERT_VOP_UNLOCKED(nd.ni_vp, "rmdir"); return (error); } #ifdef COMPAT_43 /* * Read a block of directory entries in a filesystem independent format. */ #ifndef _SYS_SYSPROTO_H_ struct ogetdirentries_args { int fd; char *buf; u_int count; long *basep; }; #endif int ogetdirentries(td, uap) struct thread *td; register struct ogetdirentries_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; syscallarg(long *) basep; } */ *uap; { struct vnode *vp; struct file *fp; struct uio auio, kuio; struct iovec aiov, kiov; struct dirent *dp, *edp; caddr_t dirbuf; int error, eofflag, readcnt; long loff; /* XXX arbitrary sanity limit on `count'. */ if (SCARG(uap, count) > 64 * 1024) return (EINVAL); if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); return (EBADF); } vp = (struct vnode *)fp->f_data; unionread: if (vp->v_type != VDIR) { fdrop(fp, td); return (EINVAL); } aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC error = mac_check_vnode_readdir(td->td_ucred, vp); if (error) { VOP_UNLOCK(vp, 0, td); fdrop(fp, td); return (error); } #endif # if (BYTE_ORDER != LITTLE_ENDIAN) if (vp->v_mount->mnt_maxsymlinklen <= 0) { error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = auio.uio_offset; } else # endif { kuio = auio; kuio.uio_iov = &kiov; kuio.uio_segflg = UIO_SYSSPACE; kiov.iov_len = SCARG(uap, count); MALLOC(dirbuf, caddr_t, SCARG(uap, count), M_TEMP, M_WAITOK); kiov.iov_base = dirbuf; error = VOP_READDIR(vp, &kuio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = kuio.uio_offset; if (error == 0) { readcnt = SCARG(uap, count) - kuio.uio_resid; edp = (struct dirent *)&dirbuf[readcnt]; for (dp = (struct dirent *)dirbuf; dp < edp; ) { # if (BYTE_ORDER == LITTLE_ENDIAN) /* * The expected low byte of * dp->d_namlen is our dp->d_type. * The high MBZ byte of dp->d_namlen * is our dp->d_namlen. */ dp->d_type = dp->d_namlen; dp->d_namlen = 0; # else /* * The dp->d_type is the high byte * of the expected dp->d_namlen, * so must be zero'ed. */ dp->d_type = 0; # endif if (dp->d_reclen > 0) { dp = (struct dirent *) ((char *)dp + dp->d_reclen); } else { error = EIO; break; } } if (dp >= edp) error = uiomove(dirbuf, readcnt, &auio); } FREE(dirbuf, M_TEMP); } VOP_UNLOCK(vp, 0, td); if (error) { fdrop(fp, td); return (error); } if (SCARG(uap, count) == auio.uio_resid) { if (union_dircheckp) { error = union_dircheckp(td, &vp, fp); if (error == -1) goto unionread; if (error) { fdrop(fp, td); return (error); } } mp_fixme("Accessing vflags w/o vn lock."); if ((vp->v_vflag & VV_ROOT) && (vp->v_mount->mnt_flag & MNT_UNION)) { struct vnode *tvp = vp; vp = vp->v_mount->mnt_vnodecovered; VREF(vp); fp->f_data = vp; fp->f_offset = 0; vrele(tvp); goto unionread; } } error = copyout(&loff, SCARG(uap, basep), sizeof(long)); fdrop(fp, td); td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; return (error); } #endif /* COMPAT_43 */ /* * Read a block of directory entries in a filesystem independent format. */ #ifndef _SYS_SYSPROTO_H_ struct getdirentries_args { int fd; char *buf; u_int count; long *basep; }; #endif int getdirentries(td, uap) struct thread *td; register struct getdirentries_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; syscallarg(long *) basep; } */ *uap; { struct vnode *vp; struct file *fp; struct uio auio; struct iovec aiov; long loff; int error, eofflag; if ((error = getvnode(td->td_proc->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); return (EBADF); } vp = (struct vnode *)fp->f_data; unionread: if (vp->v_type != VDIR) { fdrop(fp, td); return (EINVAL); } aiov.iov_base = SCARG(uap, buf); aiov.iov_len = SCARG(uap, count); auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auio.uio_resid = SCARG(uap, count); /* vn_lock(vp, LK_SHARED | LK_RETRY, td); */ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC error = mac_check_vnode_readdir(td->td_ucred, vp); if (error == 0) #endif error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, NULL); fp->f_offset = auio.uio_offset; VOP_UNLOCK(vp, 0, td); if (error) { fdrop(fp, td); return (error); } if (SCARG(uap, count) == auio.uio_resid) { if (union_dircheckp) { error = union_dircheckp(td, &vp, fp); if (error == -1) goto unionread; if (error) { fdrop(fp, td); return (error); } } mp_fixme("Accessing vflag without vn lock."); if ((vp->v_vflag & VV_ROOT) && (vp->v_mount->mnt_flag & MNT_UNION)) { struct vnode *tvp = vp; vp = vp->v_mount->mnt_vnodecovered; VREF(vp); fp->f_data = vp; fp->f_offset = 0; vrele(tvp); goto unionread; } } if (SCARG(uap, basep) != NULL) { error = copyout(&loff, SCARG(uap, basep), sizeof(long)); } td->td_retval[0] = SCARG(uap, count) - auio.uio_resid; fdrop(fp, td); return (error); } #ifndef _SYS_SYSPROTO_H_ struct getdents_args { int fd; char *buf; size_t count; }; #endif int getdents(td, uap) struct thread *td; register struct getdents_args /* { syscallarg(int) fd; syscallarg(char *) buf; syscallarg(u_int) count; } */ *uap; { struct getdirentries_args ap; ap.fd = uap->fd; ap.buf = uap->buf; ap.count = uap->count; ap.basep = NULL; return getdirentries(td, &ap); } /* * Set the mode mask for creation of filesystem nodes. * * MP SAFE */ #ifndef _SYS_SYSPROTO_H_ struct umask_args { int newmask; }; #endif int umask(td, uap) struct thread *td; struct umask_args /* { syscallarg(int) newmask; } */ *uap; { register struct filedesc *fdp; FILEDESC_LOCK(td->td_proc->p_fd); fdp = td->td_proc->p_fd; td->td_retval[0] = fdp->fd_cmask; fdp->fd_cmask = SCARG(uap, newmask) & ALLPERMS; FILEDESC_UNLOCK(td->td_proc->p_fd); return (0); } /* * Void all references to file by ripping underlying filesystem * away from vnode. */ #ifndef _SYS_SYSPROTO_H_ struct revoke_args { char *path; }; #endif /* ARGSUSED */ int revoke(td, uap) struct thread *td; register struct revoke_args /* { syscallarg(char *) path; } */ *uap; { struct mount *mp; struct vnode *vp; struct vattr vattr; int error; struct nameidata nd; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; NDFREE(&nd, NDF_ONLY_PNBUF); if (vp->v_type != VCHR) { vput(vp); return (EINVAL); } #ifdef MAC error = mac_check_vnode_revoke(td->td_ucred, vp); if (error) { vput(vp); return (error); } #endif error = VOP_GETATTR(vp, &vattr, td->td_ucred, td); if (error) { vput(vp); return (error); } VOP_UNLOCK(vp, 0, td); if (td->td_ucred->cr_uid != vattr.va_uid) { error = suser_cred(td->td_ucred, PRISON_ROOT); if (error) goto out; } if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) goto out; if (vcount(vp) > 1) VOP_REVOKE(vp, REVOKEALL); vn_finished_write(mp); out: vrele(vp); return (error); } /* * Convert a user file descriptor to a kernel file entry. * The file entry is locked upon returning. */ int getvnode(fdp, fd, fpp) struct filedesc *fdp; int fd; struct file **fpp; { int error; struct file *fp; fp = NULL; if (fdp == NULL) error = EBADF; else { FILEDESC_LOCK(fdp); if ((u_int)fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[fd]) == NULL) error = EBADF; else if (fp->f_type != DTYPE_VNODE && fp->f_type != DTYPE_FIFO) { fp = NULL; error = EINVAL; } else { fhold(fp); error = 0; } FILEDESC_UNLOCK(fdp); } *fpp = fp; return (error); } /* * Get (NFS) file handle */ #ifndef _SYS_SYSPROTO_H_ struct getfh_args { char *fname; fhandle_t *fhp; }; #endif int getfh(td, uap) struct thread *td; register struct getfh_args *uap; { struct nameidata nd; fhandle_t fh; register struct vnode *vp; int error; /* * Must be super user */ error = suser(td); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->fname, td); error = namei(&nd); if (error) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; bzero(&fh, sizeof(fh)); fh.fh_fsid = vp->v_mount->mnt_stat.f_fsid; error = VFS_VPTOFH(vp, &fh.fh_fid); vput(vp); if (error) return (error); error = copyout(&fh, uap->fhp, sizeof (fh)); return (error); } /* * syscall for the rpc.lockd to use to translate a NFS file handle into * an open descriptor. * * warning: do not remove the suser() call or this becomes one giant * security hole. */ #ifndef _SYS_SYSPROTO_H_ struct fhopen_args { const struct fhandle *u_fhp; int flags; }; #endif int fhopen(td, uap) struct thread *td; struct fhopen_args /* { syscallarg(const struct fhandle *) u_fhp; syscallarg(int) flags; } */ *uap; { struct proc *p = td->td_proc; struct mount *mp; struct vnode *vp; struct fhandle fhp; struct vattr vat; struct vattr *vap = &vat; struct flock lf; struct file *fp; register struct filedesc *fdp = p->p_fd; int fmode, mode, error, type; struct file *nfp; int indx; /* * Must be super user */ error = suser(td); if (error) return (error); fmode = FFLAGS(SCARG(uap, flags)); /* why not allow a non-read/write open for our lockd? */ if (((fmode & (FREAD | FWRITE)) == 0) || (fmode & O_CREAT)) return (EINVAL); error = copyin(SCARG(uap,u_fhp), &fhp, sizeof(fhp)); if (error) return(error); /* find the mount point */ mp = vfs_getvfs(&fhp.fh_fsid); if (mp == NULL) return (ESTALE); /* now give me my vnode, it gets returned to me locked */ error = VFS_FHTOVP(mp, &fhp.fh_fid, &vp); if (error) return (error); /* * from now on we have to make sure not * to forget about the vnode * any error that causes an abort must vput(vp) * just set error = err and 'goto bad;'. */ /* * from vn_open */ if (vp->v_type == VLNK) { error = EMLINK; goto bad; } if (vp->v_type == VSOCK) { error = EOPNOTSUPP; goto bad; } mode = 0; if (fmode & (FWRITE | O_TRUNC)) { if (vp->v_type == VDIR) { error = EISDIR; goto bad; } error = vn_writechk(vp); if (error) goto bad; mode |= VWRITE; } if (fmode & FREAD) mode |= VREAD; if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC error = mac_check_vnode_open(td->td_ucred, vp, mode); if (error) goto bad; #endif if (mode) { error = VOP_ACCESS(vp, mode, td->td_ucred, td); if (error) goto bad; } if (fmode & O_TRUNC) { VOP_UNLOCK(vp, 0, td); /* XXX */ if ((error = vn_start_write(NULL, &mp, V_WAIT | PCATCH)) != 0) { vrele(vp); return (error); } VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); vap->va_size = 0; error = VOP_SETATTR(vp, vap, td->td_ucred, td); #ifdef MAC } #endif vn_finished_write(mp); if (error) goto bad; } error = VOP_OPEN(vp, fmode, td->td_ucred, td); if (error) goto bad; /* * Make sure that a VM object is created for VMIO support. */ if (vn_canvmio(vp) == TRUE) { if ((error = vfs_object_create(vp, td, td->td_ucred)) != 0) goto bad; } if (fmode & FWRITE) vp->v_writecount++; /* * end of vn_open code */ if ((error = falloc(td, &nfp, &indx)) != 0) { if (fmode & FWRITE) vp->v_writecount--; goto bad; } fp = nfp; /* * Hold an extra reference to avoid having fp ripped out * from under us while we block in the lock op */ fhold(fp); nfp->f_data = vp; nfp->f_flag = fmode & FMASK; nfp->f_ops = &vnops; nfp->f_type = DTYPE_VNODE; if (fmode & (O_EXLOCK | O_SHLOCK)) { lf.l_whence = SEEK_SET; lf.l_start = 0; lf.l_len = 0; if (fmode & O_EXLOCK) lf.l_type = F_WRLCK; else lf.l_type = F_RDLCK; type = F_FLOCK; if ((fmode & FNONBLOCK) == 0) type |= F_WAIT; VOP_UNLOCK(vp, 0, td); if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) { /* * The lock request failed. Normally close the * descriptor but handle the case where someone might * have dup()d or close()d it when we weren't looking. */ FILEDESC_LOCK(fdp); if (fdp->fd_ofiles[indx] == fp) { fdp->fd_ofiles[indx] = NULL; FILEDESC_UNLOCK(fdp); fdrop(fp, td); } else FILEDESC_UNLOCK(fdp); /* * release our private reference */ fdrop(fp, td); return(error); } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); fp->f_flag |= FHASLOCK; } if ((vp->v_type == VREG) && (VOP_GETVOBJECT(vp, NULL) != 0)) vfs_object_create(vp, td, td->td_ucred); VOP_UNLOCK(vp, 0, td); fdrop(fp, td); td->td_retval[0] = indx; return (0); bad: vput(vp); return (error); } /* * Stat an (NFS) file handle. */ #ifndef _SYS_SYSPROTO_H_ struct fhstat_args { struct fhandle *u_fhp; struct stat *sb; }; #endif int fhstat(td, uap) struct thread *td; register struct fhstat_args /* { syscallarg(struct fhandle *) u_fhp; syscallarg(struct stat *) sb; } */ *uap; { struct stat sb; fhandle_t fh; struct mount *mp; struct vnode *vp; int error; /* * Must be super user */ error = suser(td); if (error) return (error); error = copyin(SCARG(uap, u_fhp), &fh, sizeof(fhandle_t)); if (error) return (error); if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL) return (ESTALE); if ((error = VFS_FHTOVP(mp, &fh.fh_fid, &vp))) return (error); error = vn_stat(vp, &sb, td->td_ucred, NOCRED, td); vput(vp); if (error) return (error); error = copyout(&sb, SCARG(uap, sb), sizeof(sb)); return (error); } /* * Implement fstatfs() for (NFS) file handles. */ #ifndef _SYS_SYSPROTO_H_ struct fhstatfs_args { struct fhandle *u_fhp; struct statfs *buf; }; #endif int fhstatfs(td, uap) struct thread *td; struct fhstatfs_args /* { syscallarg(struct fhandle) *u_fhp; syscallarg(struct statfs) *buf; } */ *uap; { struct statfs *sp; struct mount *mp; struct vnode *vp; struct statfs sb; fhandle_t fh; int error; /* * Must be super user */ error = suser(td); if (error) return (error); if ((error = copyin(SCARG(uap, u_fhp), &fh, sizeof(fhandle_t))) != 0) return (error); if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL) return (ESTALE); if ((error = VFS_FHTOVP(mp, &fh.fh_fid, &vp))) return (error); mp = vp->v_mount; sp = &mp->mnt_stat; vput(vp); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif if ((error = VFS_STATFS(mp, sp, td)) != 0) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; } return (copyout(sp, SCARG(uap, buf), sizeof(*sp))); } /* * Syscall to push extended attribute configuration information into the * VFS. Accepts a path, which it converts to a mountpoint, as well as * a command (int cmd), and attribute name and misc data. For now, the * attribute name is left in userspace for consumption by the VFS_op. * It will probably be changed to be copied into sysspace by the * syscall in the future, once issues with various consumers of the * attribute code have raised their hands. * * Currently this is used only by UFS Extended Attributes. */ int extattrctl(td, uap) struct thread *td; struct extattrctl_args /* { syscallarg(const char *) path; syscallarg(int) cmd; syscallarg(const char *) filename; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct vnode *filename_vp; struct nameidata nd; struct mount *mp, *mp_writable; char attrname[EXTATTR_MAXNAMELEN]; int error; /* * uap->attrname is not always defined. We check again later when we * invoke the VFS call so as to pass in NULL there if needed. */ if (uap->attrname != NULL) { error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); } /* * uap->filename is not always defined. If it is, grab a vnode lock, * which VFS_EXTATTRCTL() will later release. */ filename_vp = NULL; if (uap->filename != NULL) { NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, uap->filename, td); if ((error = namei(&nd)) != 0) return (error); filename_vp = nd.ni_vp; NDFREE(&nd, NDF_NO_VP_RELE | NDF_NO_VP_UNLOCK); } /* uap->path is always defined. */ NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) { if (filename_vp != NULL) vput(filename_vp); return (error); } mp = nd.ni_vp->v_mount; error = vn_start_write(nd.ni_vp, &mp_writable, V_WAIT | PCATCH); NDFREE(&nd, 0); if (error) { if (filename_vp != NULL) vput(filename_vp); return (error); } error = VFS_EXTATTRCTL(mp, uap->cmd, filename_vp, uap->attrnamespace, uap->attrname != NULL ? attrname : NULL, td); vn_finished_write(mp_writable); /* * VFS_EXTATTRCTL will have unlocked, but not de-ref'd, * filename_vp, so vrele it if it is defined. */ if (filename_vp != NULL) vrele(filename_vp); return (error); } /*- * Set a named extended attribute on a file or directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", userspace buffer * pointer "data", buffer length "nbytes", thread "td". * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname, void *data, size_t nbytes, struct thread *td) { struct mount *mp; struct uio auio; struct iovec aiov; ssize_t cnt; int error; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); aiov.iov_base = data; aiov.iov_len = nbytes; auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_offset = 0; if (nbytes > INT_MAX) { error = EINVAL; goto done; } auio.uio_resid = nbytes; auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; cnt = nbytes; #ifdef MAC error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; #endif error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio, td->td_ucred, td); cnt -= auio.uio_resid; td->td_retval[0] = cnt; done: VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } int extattr_set_file(td, uap) struct thread *td; struct extattr_set_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_set_vp(nd.ni_vp, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); vrele(nd.ni_vp); return (error); } int extattr_set_fd(td, uap) struct thread *td; struct extattr_set_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct file *fp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); error = extattr_set_vp((struct vnode *)fp->f_data, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); fdrop(fp, td); return (error); } /*- * Get a named extended attribute on a file or directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", userspace buffer * pointer "data", buffer length "nbytes", thread "td". * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname, void *data, size_t nbytes, struct thread *td) { struct uio auio, *auiop; struct iovec aiov; ssize_t cnt; size_t size, *sizep; int error; VOP_LEASE(vp, td, td->td_ucred, LEASE_READ); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* * Slightly unusual semantics: if the user provides a NULL data * pointer, they don't want to receive the data, just the * maximum read length. */ auiop = NULL; sizep = NULL; cnt = 0; if (data != NULL) { aiov.iov_base = data; aiov.iov_len = nbytes; auio.uio_iov = &aiov; auio.uio_offset = 0; if (nbytes > INT_MAX) { error = EINVAL; goto done; } auio.uio_resid = nbytes; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_USERSPACE; auio.uio_td = td; auiop = &auio; cnt = nbytes; } else sizep = &size; #ifdef MAC error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; #endif error = VOP_GETEXTATTR(vp, attrnamespace, attrname, auiop, sizep, td->td_ucred, td); if (auiop != NULL) { cnt -= auio.uio_resid; td->td_retval[0] = cnt; } else td->td_retval[0] = size; done: VOP_UNLOCK(vp, 0, td); return (error); } int extattr_get_file(td, uap) struct thread *td; struct extattr_get_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_get_vp(nd.ni_vp, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); vrele(nd.ni_vp); return (error); } int extattr_get_fd(td, uap) struct thread *td; struct extattr_get_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; syscallarg(void *) data; syscallarg(size_t) nbytes; } */ *uap; { struct file *fp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); error = extattr_get_vp((struct vnode *)fp->f_data, uap->attrnamespace, attrname, uap->data, uap->nbytes, td); fdrop(fp, td); return (error); } /* * extattr_delete_vp(): Delete a named extended attribute on a file or * directory * * Arguments: unlocked vnode "vp", attribute namespace "attrnamespace", * kernelspace string pointer "attrname", proc "p" * Returns: 0 on success, an error number otherwise * Locks: none * References: vp must be a valid reference for the duration of the call */ static int extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, struct thread *td) { struct mount *mp; int error; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, attrname, NULL); #endif error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL, td->td_ucred, td); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); } int extattr_delete_file(td, uap) struct thread *td; struct extattr_delete_file_args /* { syscallarg(const char *) path; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct nameidata nd; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return(error); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) return(error); NDFREE(&nd, NDF_ONLY_PNBUF); error = extattr_delete_vp(nd.ni_vp, uap->attrnamespace, attrname, td); vrele(nd.ni_vp); return(error); } int extattr_delete_fd(td, uap) struct thread *td; struct extattr_delete_fd_args /* { syscallarg(int) fd; syscallarg(int) attrnamespace; syscallarg(const char *) attrname; } */ *uap; { struct file *fp; struct vnode *vp; char attrname[EXTATTR_MAXNAMELEN]; int error; error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vp = (struct vnode *)fp->f_data; error = extattr_delete_vp(vp, uap->attrnamespace, attrname, td); fdrop(fp, td); return (error); } Index: head/sys/kern/vfs_vnops.c =================================================================== --- head/sys/kern/vfs_vnops.c (revision 102111) +++ head/sys/kern/vfs_vnops.c (revision 102112) @@ -1,1130 +1,1128 @@ /* * Copyright (c) 1982, 1986, 1989, 1993 * The Regents of the University of California. All rights reserved. * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)vfs_vnops.c 8.2 (Berkeley) 1/21/94 * $FreeBSD$ */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static int vn_closefile(struct file *fp, struct thread *td); static int vn_ioctl(struct file *fp, u_long com, void *data, struct ucred *active_cred, struct thread *td); static int vn_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td); static int vn_poll(struct file *fp, int events, struct ucred *active_cred, struct thread *td); static int vn_kqfilter(struct file *fp, struct knote *kn); static int vn_statfile(struct file *fp, struct stat *sb, struct ucred *active_cred, struct thread *td); static int vn_write(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td); struct fileops vnops = { vn_read, vn_write, vn_ioctl, vn_poll, vn_kqfilter, vn_statfile, vn_closefile }; int vn_open(ndp, flagp, cmode) register struct nameidata *ndp; int *flagp, cmode; { struct thread *td = ndp->ni_cnd.cn_thread; return (vn_open_cred(ndp, flagp, cmode, td->td_ucred)); } /* * Common code for vnode open operations. * Check permissions, and call the VOP_OPEN or VOP_CREATE routine. * * Note that this does NOT free nameidata for the successful case, * due to the NDINIT being done elsewhere. */ int vn_open_cred(ndp, flagp, cmode, cred) register struct nameidata *ndp; int *flagp, cmode; struct ucred *cred; { struct vnode *vp; struct mount *mp; struct thread *td = ndp->ni_cnd.cn_thread; struct vattr vat; struct vattr *vap = &vat; int mode, fmode, error; #ifdef LOOKUP_SHARED int exclusive; /* The current intended lock state */ exclusive = 0; #endif restart: fmode = *flagp; if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; bwillwrite(); if ((error = namei(ndp)) != 0) return (error); if (ndp->ni_vp == NULL) { VATTR_NULL(vap); vap->va_type = VREG; vap->va_mode = cmode; if (fmode & O_EXCL) vap->va_vaflags |= VA_EXCLUSIVE; if (vn_start_write(ndp->ni_dvp, &mp, V_NOWAIT) != 0) { NDFREE(ndp, NDF_ONLY_PNBUF); vput(ndp->ni_dvp); if ((error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH)) != 0) return (error); goto restart; } VOP_LEASE(ndp->ni_dvp, td, cred, LEASE_WRITE); error = VOP_CREATE(ndp->ni_dvp, &ndp->ni_vp, &ndp->ni_cnd, vap); vput(ndp->ni_dvp); vn_finished_write(mp); if (error) { NDFREE(ndp, NDF_ONLY_PNBUF); return (error); } ASSERT_VOP_UNLOCKED(ndp->ni_dvp, "create"); ASSERT_VOP_LOCKED(ndp->ni_vp, "create"); fmode &= ~O_TRUNC; vp = ndp->ni_vp; #ifdef LOOKUP_SHARED exclusive = 1; #endif } else { if (ndp->ni_dvp == ndp->ni_vp) vrele(ndp->ni_dvp); else vput(ndp->ni_dvp); ndp->ni_dvp = NULL; vp = ndp->ni_vp; if (fmode & O_EXCL) { error = EEXIST; goto bad; } fmode &= ~O_CREAT; } } else { ndp->ni_cnd.cn_nameiop = LOOKUP; #ifdef LOOKUP_SHARED ndp->ni_cnd.cn_flags = ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKSHARED | LOCKLEAF; #else ndp->ni_cnd.cn_flags = ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF; #endif if ((error = namei(ndp)) != 0) return (error); vp = ndp->ni_vp; } if (vp->v_type == VLNK) { error = EMLINK; goto bad; } if (vp->v_type == VSOCK) { error = EOPNOTSUPP; goto bad; } mode = 0; if (fmode & (FWRITE | O_TRUNC)) { if (vp->v_type == VDIR) { error = EISDIR; goto bad; } mode |= VWRITE; } if (fmode & FREAD) mode |= VREAD; if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC error = mac_check_vnode_open(cred, vp, mode); if (error) goto bad; #endif if ((fmode & O_CREAT) == 0) { if (mode & VWRITE) { error = vn_writechk(vp); if (error) goto bad; } if (mode) { error = VOP_ACCESS(vp, mode, cred, td); if (error) goto bad; } } if ((error = VOP_GETATTR(vp, vap, cred, td)) == 0) { vp->v_cachedfs = vap->va_fsid; vp->v_cachedid = vap->va_fileid; } if ((error = VOP_OPEN(vp, fmode, cred, td)) != 0) goto bad; /* * Make sure that a VM object is created for VMIO support. */ if (vn_canvmio(vp) == TRUE) { #ifdef LOOKUP_SHARED int flock; if (!exclusive && VOP_GETVOBJECT(vp, NULL) != 0) VOP_LOCK(vp, LK_UPGRADE, td); /* * In cases where the object is marked as dead object_create * will unlock and relock exclusive. It is safe to call in * here with a shared lock because we only examine fields that * the shared lock guarantees will be stable. In the UPGRADE * case it is not likely that anyone has used this vnode yet * so there will be no contention. The logic after this call * restores the requested locking state. */ #endif if ((error = vfs_object_create(vp, td, cred)) != 0) { VOP_UNLOCK(vp, 0, td); VOP_CLOSE(vp, fmode, cred, td); NDFREE(ndp, NDF_ONLY_PNBUF); vrele(vp); *flagp = fmode; return (error); } #ifdef LOOKUP_SHARED flock = VOP_ISLOCKED(vp, td); if (!exclusive && flock == LK_EXCLUSIVE) VOP_LOCK(vp, LK_DOWNGRADE, td); #endif } if (fmode & FWRITE) vp->v_writecount++; *flagp = fmode; return (0); bad: NDFREE(ndp, NDF_ONLY_PNBUF); vput(vp); *flagp = fmode; return (error); } /* * Check for write permissions on the specified vnode. * Prototype text segments cannot be written. */ int vn_writechk(vp) register struct vnode *vp; { ASSERT_VOP_LOCKED(vp, "vn_writechk"); /* * If there's shared text associated with * the vnode, try to free it up once. If * we fail, we can't allow writing. */ if (vp->v_vflag & VV_TEXT) return (ETXTBSY); return (0); } /* * Vnode close call */ int vn_close(vp, flags, file_cred, td) register struct vnode *vp; int flags; struct ucred *file_cred; struct thread *td; { int error; if (flags & FWRITE) vp->v_writecount--; error = VOP_CLOSE(vp, flags, file_cred, td); /* * XXX - In certain instances VOP_CLOSE has to do the vrele * itself. If the vrele has been done, it will return EAGAIN * to indicate that the vrele should not be done again. When * this happens, we just return success. The correct thing to * do would be to have all VOP_CLOSE instances do the vrele. */ if (error == EAGAIN) return (0); vrele(vp); return (error); } /* * Sequential heuristic - detect sequential operation */ static __inline int sequential_heuristic(struct uio *uio, struct file *fp) { if ((uio->uio_offset == 0 && fp->f_seqcount > 0) || uio->uio_offset == fp->f_nextoff) { /* * XXX we assume that the filesystem block size is * the default. Not true, but still gives us a pretty * good indicator of how sequential the read operations * are. */ fp->f_seqcount += (uio->uio_resid + BKVASIZE - 1) / BKVASIZE; if (fp->f_seqcount >= 127) fp->f_seqcount = 127; return(fp->f_seqcount << 16); } /* * Not sequential, quick draw-down of seqcount */ if (fp->f_seqcount > 1) fp->f_seqcount = 1; else fp->f_seqcount = 0; return(0); } /* * Package up an I/O request on a vnode into a uio and do it. */ int vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, aresid, td) enum uio_rw rw; struct vnode *vp; caddr_t base; int len; off_t offset; enum uio_seg segflg; int ioflg; struct ucred *active_cred; struct ucred *file_cred; int *aresid; struct thread *td; { struct uio auio; struct iovec aiov; struct mount *mp; struct ucred *cred; int error; if ((ioflg & IO_NODELOCKED) == 0) { mp = NULL; if (rw == UIO_WRITE) { if (vp->v_type != VCHR && (error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) return (error); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); } else { vn_lock(vp, LK_SHARED | LK_RETRY, td); } } auio.uio_iov = &aiov; auio.uio_iovcnt = 1; aiov.iov_base = base; aiov.iov_len = len; auio.uio_resid = len; auio.uio_offset = offset; auio.uio_segflg = segflg; auio.uio_rw = rw; auio.uio_td = td; error = 0; #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); else - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); } #endif if (error == 0) { if (file_cred) cred = file_cred; else cred = active_cred; if (rw == UIO_READ) error = VOP_READ(vp, &auio, ioflg, cred); else error = VOP_WRITE(vp, &auio, ioflg, cred); } if (aresid) *aresid = auio.uio_resid; else if (auio.uio_resid && error == 0) error = EIO; if ((ioflg & IO_NODELOCKED) == 0) { if (rw == UIO_WRITE) vn_finished_write(mp); VOP_UNLOCK(vp, 0, td); } return (error); } /* * Package up an I/O request on a vnode into a uio and do it. The I/O * request is split up into smaller chunks and we try to avoid saturating * the buffer cache while potentially holding a vnode locked, so we * check bwillwrite() before calling vn_rdwr(). We also call uio_yield() * to give other processes a chance to lock the vnode (either other processes * core'ing the same binary, or unrelated processes scanning the directory). */ int vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, aresid, td) enum uio_rw rw; struct vnode *vp; caddr_t base; int len; off_t offset; enum uio_seg segflg; int ioflg; struct ucred *active_cred; struct ucred *file_cred; int *aresid; struct thread *td; { int error = 0; do { int chunk = (len > MAXBSIZE) ? MAXBSIZE : len; if (rw != UIO_READ && vp->v_type == VREG) bwillwrite(); error = vn_rdwr(rw, vp, base, chunk, offset, segflg, ioflg, active_cred, file_cred, aresid, td); len -= chunk; /* aresid calc already includes length */ if (error) break; offset += chunk; base += chunk; uio_yield(); } while (len); if (aresid) *aresid += len; return (error); } /* * File table vnode read routine. */ static int vn_read(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; struct ucred *active_cred; struct thread *td; int flags; { struct vnode *vp; int error, ioflag; mtx_lock(&Giant); KASSERT(uio->uio_td == td, ("uio_td %p is not td %p", uio->uio_td, td)); vp = (struct vnode *)fp->f_data; ioflag = 0; if (fp->f_flag & FNONBLOCK) ioflag |= IO_NDELAY; if (fp->f_flag & O_DIRECT) ioflag |= IO_DIRECT; VOP_LEASE(vp, td, fp->f_cred, LEASE_READ); vn_lock(vp, LK_SHARED | LK_NOPAUSE | LK_RETRY, td); if ((flags & FOF_OFFSET) == 0) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; VOP_UNLOCK(vp, 0, td); mtx_unlock(&Giant); return (error); } /* * File table vnode write routine. */ static int vn_write(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; struct ucred *active_cred; struct thread *td; int flags; { struct vnode *vp; struct mount *mp; int error, ioflag; mtx_lock(&Giant); KASSERT(uio->uio_td == td, ("uio_td %p is not td %p", uio->uio_td, td)); vp = (struct vnode *)fp->f_data; if (vp->v_type == VREG) bwillwrite(); ioflag = IO_UNIT; if (vp->v_type == VREG && (fp->f_flag & O_APPEND)) ioflag |= IO_APPEND; if (fp->f_flag & FNONBLOCK) ioflag |= IO_NDELAY; if (fp->f_flag & O_DIRECT) ioflag |= IO_DIRECT; if ((fp->f_flag & O_FSYNC) || (vp->v_mount && (vp->v_mount->mnt_flag & MNT_SYNCHRONOUS))) ioflag |= IO_SYNC; mp = NULL; if (vp->v_type != VCHR && (error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) { mtx_unlock(&Giant); return (error); } VOP_LEASE(vp, td, fp->f_cred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if ((flags & FOF_OFFSET) == 0) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mtx_unlock(&Giant); return (error); } /* * File table vnode stat routine. */ static int vn_statfile(fp, sb, active_cred, td) struct file *fp; struct stat *sb; struct ucred *active_cred; struct thread *td; { struct vnode *vp = (struct vnode *)fp->f_data; int error; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_stat(vp, sb, active_cred, fp->f_cred, td); VOP_UNLOCK(vp, 0, td); return (error); } /* * Stat a vnode; implementation for the stat syscall */ int vn_stat(vp, sb, active_cred, file_cred, td) struct vnode *vp; register struct stat *sb; struct ucred *active_cred; struct ucred *file_cred; struct thread *td; { struct vattr vattr; register struct vattr *vap; int error; u_short mode; #ifdef MAC error = mac_check_vnode_stat(active_cred, vp); if (error) return (error); #endif vap = &vattr; error = VOP_GETATTR(vp, vap, active_cred, td); if (error) return (error); vp->v_cachedfs = vap->va_fsid; vp->v_cachedid = vap->va_fileid; /* * Zero the spare stat fields */ bzero(sb, sizeof *sb); /* * Copy from vattr table */ if (vap->va_fsid != VNOVAL) sb->st_dev = vap->va_fsid; else sb->st_dev = vp->v_mount->mnt_stat.f_fsid.val[0]; sb->st_ino = vap->va_fileid; mode = vap->va_mode; switch (vap->va_type) { case VREG: mode |= S_IFREG; break; case VDIR: mode |= S_IFDIR; break; case VBLK: mode |= S_IFBLK; break; case VCHR: mode |= S_IFCHR; break; case VLNK: mode |= S_IFLNK; /* This is a cosmetic change, symlinks do not have a mode. */ if (vp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) sb->st_mode &= ~ACCESSPERMS; /* 0000 */ else sb->st_mode |= ACCESSPERMS; /* 0777 */ break; case VSOCK: mode |= S_IFSOCK; break; case VFIFO: mode |= S_IFIFO; break; default: return (EBADF); }; sb->st_mode = mode; sb->st_nlink = vap->va_nlink; sb->st_uid = vap->va_uid; sb->st_gid = vap->va_gid; sb->st_rdev = vap->va_rdev; if (vap->va_size > OFF_MAX) return (EOVERFLOW); sb->st_size = vap->va_size; sb->st_atimespec = vap->va_atime; sb->st_mtimespec = vap->va_mtime; sb->st_ctimespec = vap->va_ctime; sb->st_birthtimespec = vap->va_birthtime; /* * According to www.opengroup.org, the meaning of st_blksize is * "a filesystem-specific preferred I/O block size for this * object. In some filesystem types, this may vary from file * to file" * Default to PAGE_SIZE after much discussion. */ if (vap->va_type == VREG) { sb->st_blksize = vap->va_blocksize; } else if (vn_isdisk(vp, NULL)) { sb->st_blksize = vp->v_rdev->si_bsize_best; if (sb->st_blksize < vp->v_rdev->si_bsize_phys) sb->st_blksize = vp->v_rdev->si_bsize_phys; if (sb->st_blksize < BLKDEV_IOSIZE) sb->st_blksize = BLKDEV_IOSIZE; } else { sb->st_blksize = PAGE_SIZE; } sb->st_flags = vap->va_flags; if (suser(td)) sb->st_gen = 0; else sb->st_gen = vap->va_gen; #if (S_BLKSIZE == 512) /* Optimize this case */ sb->st_blocks = vap->va_bytes >> 9; #else sb->st_blocks = vap->va_bytes / S_BLKSIZE; #endif return (0); } /* * File table vnode ioctl routine. */ static int vn_ioctl(fp, com, data, active_cred, td) struct file *fp; u_long com; void *data; struct ucred *active_cred; struct thread *td; { register struct vnode *vp = ((struct vnode *)fp->f_data); struct vnode *vpold; struct vattr vattr; int error; switch (vp->v_type) { case VREG: case VDIR: if (com == FIONREAD) { vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = VOP_GETATTR(vp, &vattr, active_cred, td); VOP_UNLOCK(vp, 0, td); if (error) return (error); *(int *)data = vattr.va_size - fp->f_offset; return (0); } if (com == FIONBIO || com == FIOASYNC) /* XXX */ return (0); /* XXX */ /* fall into ... */ default: #if 0 return (ENOTTY); #endif case VFIFO: case VCHR: case VBLK: if (com == FIODTYPE) { if (vp->v_type != VCHR && vp->v_type != VBLK) return (ENOTTY); *(int *)data = devsw(vp->v_rdev)->d_flags & D_TYPEMASK; return (0); } error = VOP_IOCTL(vp, com, data, fp->f_flag, active_cred, td); if (error == 0 && com == TIOCSCTTY) { /* Do nothing if reassigning same control tty */ sx_slock(&proctree_lock); if (td->td_proc->p_session->s_ttyvp == vp) { sx_sunlock(&proctree_lock); return (0); } vpold = td->td_proc->p_session->s_ttyvp; VREF(vp); SESS_LOCK(td->td_proc->p_session); td->td_proc->p_session->s_ttyvp = vp; SESS_UNLOCK(td->td_proc->p_session); sx_sunlock(&proctree_lock); /* Get rid of reference to old control tty */ if (vpold) vrele(vpold); } return (error); } } /* * File table vnode poll routine. */ static int vn_poll(fp, events, active_cred, td) struct file *fp; int events; struct ucred *active_cred; struct thread *td; { struct vnode *vp; #ifdef MAC int error; #endif vp = (struct vnode *)fp->f_data; #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(active_cred, vp); VOP_UNLOCK(vp, 0, td); if (error) return (error); #endif return (VOP_POLL(vp, events, fp->f_cred, td)); } /* * Check that the vnode is still valid, and if so * acquire requested lock. */ int #ifndef DEBUG_LOCKS vn_lock(vp, flags, td) #else debug_vn_lock(vp, flags, td, filename, line) #endif struct vnode *vp; int flags; struct thread *td; #ifdef DEBUG_LOCKS const char *filename; int line; #endif { int error; do { if ((flags & LK_INTERLOCK) == 0) VI_LOCK(vp); if ((vp->v_iflag & VI_XLOCK) && vp->v_vxproc != curthread) { vp->v_iflag |= VI_XWANT; msleep(vp, VI_MTX(vp), PINOD | PDROP, "vn_lock", 0); error = ENOENT; } else { #if 0 /* this can now occur in normal operation */ if (vp->v_vxproc != NULL) log(LOG_INFO, "VXLOCK interlock avoided in vn_lock\n"); #endif #ifdef DEBUG_LOCKS vp->filename = filename; vp->line = line; #endif error = VOP_LOCK(vp, flags | LK_NOPAUSE | LK_INTERLOCK, td); if (error == 0) return (error); } flags &= ~LK_INTERLOCK; } while (flags & LK_RETRY); return (error); } /* * File table vnode close routine. */ static int vn_closefile(fp, td) struct file *fp; struct thread *td; { fp->f_ops = &badfileops; return (vn_close(((struct vnode *)fp->f_data), fp->f_flag, fp->f_cred, td)); } /* * Preparing to start a filesystem write operation. If the operation is * permitted, then we bump the count of operations in progress and * proceed. If a suspend request is in progress, we wait until the * suspension is over, and then proceed. */ int vn_start_write(vp, mpp, flags) struct vnode *vp; struct mount **mpp; int flags; { struct mount *mp; int error; /* * If a vnode is provided, get and return the mount point that * to which it will write. */ if (vp != NULL) { if ((error = VOP_GETWRITEMOUNT(vp, mpp)) != 0) { *mpp = NULL; if (error != EOPNOTSUPP) return (error); return (0); } } if ((mp = *mpp) == NULL) return (0); /* * Check on status of suspension. */ while ((mp->mnt_kern_flag & MNTK_SUSPEND) != 0) { if (flags & V_NOWAIT) return (EWOULDBLOCK); error = tsleep(&mp->mnt_flag, (PUSER - 1) | (flags & PCATCH), "suspfs", 0); if (error) return (error); } if (flags & V_XSLEEP) return (0); mp->mnt_writeopcount++; return (0); } /* * Secondary suspension. Used by operations such as vop_inactive * routines that are needed by the higher level functions. These * are allowed to proceed until all the higher level functions have * completed (indicated by mnt_writeopcount dropping to zero). At that * time, these operations are halted until the suspension is over. */ int vn_write_suspend_wait(vp, mp, flags) struct vnode *vp; struct mount *mp; int flags; { int error; if (vp != NULL) { if ((error = VOP_GETWRITEMOUNT(vp, &mp)) != 0) { if (error != EOPNOTSUPP) return (error); return (0); } } /* * If we are not suspended or have not yet reached suspended * mode, then let the operation proceed. */ if (mp == NULL || (mp->mnt_kern_flag & MNTK_SUSPENDED) == 0) return (0); if (flags & V_NOWAIT) return (EWOULDBLOCK); /* * Wait for the suspension to finish. */ return (tsleep(&mp->mnt_flag, (PUSER - 1) | (flags & PCATCH), "suspfs", 0)); } /* * Filesystem write operation has completed. If we are suspending and this * operation is the last one, notify the suspender that the suspension is * now in effect. */ void vn_finished_write(mp) struct mount *mp; { if (mp == NULL) return; mp->mnt_writeopcount--; if (mp->mnt_writeopcount < 0) panic("vn_finished_write: neg cnt"); if ((mp->mnt_kern_flag & MNTK_SUSPEND) != 0 && mp->mnt_writeopcount <= 0) wakeup(&mp->mnt_writeopcount); } /* * Request a filesystem to suspend write operations. */ void vfs_write_suspend(mp) struct mount *mp; { struct thread *td = curthread; if (mp->mnt_kern_flag & MNTK_SUSPEND) return; mp->mnt_kern_flag |= MNTK_SUSPEND; if (mp->mnt_writeopcount > 0) (void) tsleep(&mp->mnt_writeopcount, PUSER - 1, "suspwt", 0); VFS_SYNC(mp, MNT_WAIT, td->td_ucred, td); mp->mnt_kern_flag |= MNTK_SUSPENDED; } /* * Request a filesystem to resume write operations. */ void vfs_write_resume(mp) struct mount *mp; { if ((mp->mnt_kern_flag & MNTK_SUSPEND) == 0) return; mp->mnt_kern_flag &= ~(MNTK_SUSPEND | MNTK_SUSPENDED); wakeup(&mp->mnt_writeopcount); wakeup(&mp->mnt_flag); } /* * Implement kqueues for files by translating it to vnode operation. */ static int vn_kqfilter(struct file *fp, struct knote *kn) { return (VOP_KQFILTER(((struct vnode *)fp->f_data), kn)); } /* * Simplified in-kernel wrapper calls for extended attribute access. * Both calls pass in a NULL credential, authorizing as "kernel" access. * Set IO_NODELOCKED in ioflg if the vnode is already locked. */ int vn_extattr_get(struct vnode *vp, int ioflg, int attrnamespace, const char *attrname, int *buflen, char *buf, struct thread *td) { struct uio auio; struct iovec iov; int error; iov.iov_len = *buflen; iov.iov_base = buf; auio.uio_iov = &iov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_SYSSPACE; auio.uio_td = td; auio.uio_offset = 0; auio.uio_resid = *buflen; if ((ioflg & IO_NODELOCKED) == 0) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* authorize attribute retrieval as kernel */ error = VOP_GETEXTATTR(vp, attrnamespace, attrname, &auio, NULL, NULL, td); if ((ioflg & IO_NODELOCKED) == 0) VOP_UNLOCK(vp, 0, td); if (error == 0) { *buflen = *buflen - auio.uio_resid; } return (error); } /* * XXX failure mode if partially written? */ int vn_extattr_set(struct vnode *vp, int ioflg, int attrnamespace, const char *attrname, int buflen, char *buf, struct thread *td) { struct uio auio; struct iovec iov; struct mount *mp; int error; iov.iov_len = buflen; iov.iov_base = buf; auio.uio_iov = &iov; auio.uio_iovcnt = 1; auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_SYSSPACE; auio.uio_td = td; auio.uio_offset = 0; auio.uio_resid = buflen; if ((ioflg & IO_NODELOCKED) == 0) { if ((error = vn_start_write(vp, &mp, V_WAIT)) != 0) return (error); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); } /* authorize attribute setting as kernel */ error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio, NULL, td); if ((ioflg & IO_NODELOCKED) == 0) { vn_finished_write(mp); VOP_UNLOCK(vp, 0, td); } return (error); } int vn_extattr_rm(struct vnode *vp, int ioflg, int attrnamespace, const char *attrname, struct thread *td) { struct mount *mp; int error; if ((ioflg & IO_NODELOCKED) == 0) { if ((error = vn_start_write(vp, &mp, V_WAIT)) != 0) return (error); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); } /* authorize attribute removal as kernel */ error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL, NULL, td); if ((ioflg & IO_NODELOCKED) == 0) { vn_finished_write(mp); VOP_UNLOCK(vp, 0, td); } return (error); } Index: head/sys/security/mac/mac_framework.c =================================================================== --- head/sys/security/mac/mac_framework.c (revision 102111) +++ head/sys/security/mac/mac_framework.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_framework.h =================================================================== --- head/sys/security/mac/mac_framework.h (revision 102111) +++ head/sys/security/mac/mac_framework.h (revision 102112) @@ -1,391 +1,393 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Userland/kernel interface for Mandatory Access Control. * * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ */ #ifndef _SYS_MAC_H #define _SYS_MAC_H #include #ifndef _POSIX_MAC #define _POSIX_MAC #endif /* * XXXMAC: The single MAC extended attribute will be deprecated once * compound EA writes on a single target file can be performed cleanly * with UFS2. */ #define FREEBSD_MAC_EXTATTR_NAME "freebsd.mac" #define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM /* * XXXMAC: Per-policy structures will be moved from mac.h to per-policy * include files once the revised user interface is available. */ /* * Structures and constants associated with a Biba Integrity policy. * mac_biba represents a Biba label, with mb_type determining its properties, * and mb_grade represents the hierarchal grade if valid for the current * mb_type. These structures will move to mac_biba.h once we have dymamic * labels exposed to userland. */ struct mac_biba_element { u_short mbe_type; u_short mbe_grade; }; /* * Biba labels consist of two components: a single label, and a label * range. Depending on the context, one or both may be used; the mb_flags * field permits the provider to indicate what fields are intended for * use. */ struct mac_biba { int mb_flags; struct mac_biba_element mb_single; struct mac_biba_element mb_rangelow, mb_rangehigh; }; /* * Structures and constants associated with a Multi-Level Security policy. * mac_mls represents an MLS label, with mm_type determining its properties, * and mm_level represents the hierarchal sensitivity level if valid for the * current mm_type. These structures will move to mac_mls.h once we have * dynamic labels exposed to userland. */ struct mac_mls_element { u_short mme_type; u_short mme_level; }; /* * MLS labels consist of two components: a single label, and a label * range. Depending on the context, one or both may be used; the mb_flags * field permits the provider to indicate what fields are intended for * use. */ struct mac_mls { int mm_flags; struct mac_mls_element mm_single; struct mac_mls_element mm_rangelow, mm_rangehigh; }; /* * Structures and constants associated with a Type Enforcement policy. * mac_te represents a Type Enforcement label. */ #define MAC_TE_TYPE_MAXLEN 32 struct mac_te { char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */ }; struct mac_sebsd { uint32_t ms_psid; /* persistent sid storage */ }; /* * Composite structures and constants which combine the various policy * elements into common structures to be associated with subjects and * objects. */ struct mac { int m_macflags; struct mac_biba m_biba; struct mac_mls m_mls; struct mac_te m_te; struct mac_sebsd m_sebsd; }; typedef struct mac *mac_t; #define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */ #ifndef _KERNEL /* * POSIX.1e functions visible in the application namespace. */ int mac_dominate(const mac_t _labela, const mac_t _labelb); int mac_equal(const mac_t labela, const mac_t _labelb); int mac_free(void *_buf_p); mac_t mac_from_text(const char *_text_p); mac_t mac_get_fd(int _fildes); mac_t mac_get_file(const char *_path_p); mac_t mac_get_proc(void); mac_t mac_glb(const mac_t _labela, const mac_t _labelb); mac_t mac_lub(const mac_t _labela, const mac_t _labelb); int mac_set_fd(int _fildes, const mac_t _label); int mac_set_file(const char *_path_p, mac_t _label); int mac_set_proc(const mac_t _label); ssize_t mac_size(mac_t _label); char * mac_to_text(const mac_t _label, size_t *_len_p); int mac_valid(const mac_t _label); /* * Extensions to POSIX.1e visible in the application namespace. */ int mac_is_present_np(const char *_policyname); int mac_policy(const char *_policyname, int call, void *arg); /* * System calls wrapped by some POSIX.1e functions. */ int __mac_get_fd(int _fd, struct mac *_mac_p); int __mac_get_file(const char *_path_p, struct mac *_mac_p); int __mac_get_proc(struct mac *_mac_p); int __mac_set_fd(int fd, struct mac *_mac_p); int __mac_set_file(const char *_path_p, struct mac *_mac_p); int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ /* * MAC entry point operations */ enum mac_ep_ops { MAC_OP_VNODE_READ, MAC_OP_VNODE_WRITE, MAC_OP_VNODE_POLL, MAC_OP_PIPE_READ, MAC_OP_PIPE_WRITE, MAC_OP_PIPE_STAT, MAC_OP_PIPE_POLL }; /* * Kernel functions to manage and evaluate labels. */ struct bpf_d; struct componentname; struct devfs_dirent; struct ifnet; struct ifreq; struct ipq; struct mbuf; struct mount; struct proc; struct sockaddr; struct socket; struct pipe; struct timespec; struct ucred; struct uio; struct vattr; struct vnode; #include /* XXX acl_type_t */ struct vop_refreshlabel_args; struct vop_setlabel_args; /* * Label operations. */ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); void mac_init_ipq(struct ipq *); void mac_init_socket(struct socket *); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int how); void mac_init_mount(struct mount *); void mac_init_vnode(struct vnode *); void mac_destroy_bpfdesc(struct bpf_d *); void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); void mac_destroy_ifnet(struct ifnet *); void mac_destroy_ipq(struct ipq *); void mac_destroy_socket(struct socket *); void mac_destroy_pipe(struct pipe *); void mac_destroy_mbuf(struct mbuf *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de); void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child); void mac_create_mount(struct ucred *cred, struct mount *mp); void mac_create_root_mount(struct ucred *cred, struct mount *mp); void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel); void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp); void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred); void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp); /* * Labeling event operations: IPC objects. */ void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); void mac_create_socket(struct ucred *cred, struct socket *socket); void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket); void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket); void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket); void mac_create_pipe(struct ucred *cred, struct pipe *pipe); /* * Labeling event operations: network objects. */ void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); void mac_create_ifnet(struct ifnet *ifp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp); int mac_execve_will_transition(struct ucred *old, struct vnode *vp); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); /* Access control checks. */ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp); int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags); int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet); int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet); int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label); /* * Calls to help various file systems implement labeling functionality * using their existing EA implementation. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred); int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap); int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); #endif /* _KERNEL */ #endif /* !_SYS_MAC_H */ Index: head/sys/security/mac/mac_internal.h =================================================================== --- head/sys/security/mac/mac_internal.h (revision 102111) +++ head/sys/security/mac/mac_internal.h (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_net.c =================================================================== --- head/sys/security/mac/mac_net.c (revision 102111) +++ head/sys/security/mac/mac_net.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_pipe.c =================================================================== --- head/sys/security/mac/mac_pipe.c (revision 102111) +++ head/sys/security/mac/mac_pipe.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_policy.h =================================================================== --- head/sys/security/mac/mac_policy.h (revision 102111) +++ head/sys/security/mac/mac_policy.h (revision 102112) @@ -1,492 +1,498 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Kernel interface for MAC policy modules. */ #ifndef _SYS_MAC_POLICY_H #define _SYS_MAC_POLICY_H /*- * Pluggable access control policy definition structure. * * List of operations that are performed as part of the implementation * of a MAC policy. Policy implementors declare operations with a * mac_policy_ops structure, and using the MAC_POLICY_SET() macro. * If an entry point is not declared, then then the policy will be ignored * during evaluation of that event or check. * * Operations are sorted first by general class of operation, then * alphabetically. */ struct mac_policy_conf; struct mac_policy_ops { /* * Policy module operations. */ void (*mpo_destroy)(struct mac_policy_conf *mpc); void (*mpo_init)(struct mac_policy_conf *mpc); /* * Label operations. */ void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label); void (*mpo_init_cred)(struct ucred *, struct label *label); void (*mpo_init_devfsdirent)(struct devfs_dirent *, struct label *label); void (*mpo_init_ifnet)(struct ifnet *, struct label *label); void (*mpo_init_ipq)(struct ipq *ipq, struct label *label); int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label); void (*mpo_init_mount)(struct mount *, struct label *mntlabel, struct label *fslabel); void (*mpo_init_socket)(struct socket *so, struct label *label, struct label *peerlabel); void (*mpo_init_pipe)(struct pipe *pipe, struct label *label); void (*mpo_init_temp)(struct label *label); void (*mpo_init_vnode)(struct vnode *, struct label *label); void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label); void (*mpo_destroy_cred)(struct ucred *, struct label *label); void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de, struct label *label); void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label); void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label); void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label); void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel, struct label *fslabel); void (*mpo_destroy_socket)(struct socket *so, struct label *label, struct label *peerlabel); void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label); void (*mpo_destroy_temp)(struct label *label); void (*mpo_destroy_vnode)(struct vnode *, struct label *label); int (*mpo_externalize)(struct label *label, struct mac *extmac); int (*mpo_internalize)(struct label *label, struct mac *extmac); /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_vnode)(struct devfs_dirent *de, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel); void (*mpo_create_vnode)(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel); void (*mpo_create_mount)(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel); void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp, struct label *mountlabel, struct label *fslabel); void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label); int (*mpo_stdcreatevnode_ea)(struct vnode *vp, struct label *vnodelabel); void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel); void (*mpo_update_procfsvnode)(struct vnode *vp, struct label *vnodelabel, struct ucred *cred); int (*mpo_update_vnode_from_extattr)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); int (*mpo_update_vnode_from_externalized)(struct vnode *vp, struct label *vnodelabel, struct mac *mac); void (*mpo_update_vnode_from_mount)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); /* * Labeling event operations: IPC objects. */ void (*mpo_create_mbuf_from_socket)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); void (*mpo_create_socket)(struct ucred *cred, struct socket *so, struct label *socketlabel); void (*mpo_create_socket_from_socket)(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel); void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); void (*mpo_relabel_pipe)(struct ucred *cred, struct pipe *pipe, struct label *oldlabel, struct label *newlabel); void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, struct label *mbuflabel, struct socket *so, struct label *socketpeerlabel); void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel); void (*mpo_create_pipe)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel); /* * Labeling event operations: network objects. */ void (*mpo_create_bpfdesc)(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel); void (*mpo_create_ifnet)(struct ifnet *ifnet, struct label *ifnetlabel); void (*mpo_create_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); void (*mpo_create_datagram_from_ipq) (struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel); void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel); void (*mpo_create_mbuf_linklayer)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_from_bpfdesc)(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_from_ifnet)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_multicast_encap)(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel); void (*mpo_create_mbuf_netlayer)(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel); int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); /* * Labeling event operations: processes. */ void (*mpo_create_cred)(struct ucred *parent_cred, struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel); int (*mpo_execve_will_transition)(struct ucred *old, struct vnode *vp, struct label *vnodelabel); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, struct label *newlabel); /* * Access control checks. */ int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); int (*mpo_check_cred_relabel)(struct ucred *cred, struct label *newlabel); int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); int (*mpo_check_ifnet_relabel)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); int (*mpo_check_socket_connect)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); int (*mpo_check_socket_deliver)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct label *newlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_chroot)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_create)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap); int (*mpo_check_vnode_delete)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, void *label, struct componentname *cnp); int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_relabel)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel); int (*mpo_check_vnode_rename_from)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp); int (*mpo_check_vnode_rename_to)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp); int (*mpo_check_vnode_revoke)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_setacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl); int (*mpo_check_vnode_setextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); int (*mpo_check_vnode_setflags)(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags); int (*mpo_check_vnode_setmode)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode); int (*mpo_check_vnode_setowner)(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid); int (*mpo_check_vnode_setutimes)(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; enum mac_op_constant { MAC_OP_LAST, MAC_DESTROY, MAC_INIT, MAC_INIT_BPFDESC, MAC_INIT_CRED, MAC_INIT_DEVFSDIRENT, MAC_INIT_IFNET, MAC_INIT_IPQ, MAC_INIT_MBUF, MAC_INIT_MOUNT, MAC_INIT_PIPE, MAC_INIT_SOCKET, MAC_INIT_TEMP, MAC_INIT_VNODE, MAC_DESTROY_BPFDESC, MAC_DESTROY_CRED, MAC_DESTROY_DEVFSDIRENT, MAC_DESTROY_IFNET, MAC_DESTROY_IPQ, MAC_DESTROY_MBUF, MAC_DESTROY_MOUNT, MAC_DESTROY_PIPE, MAC_DESTROY_SOCKET, MAC_DESTROY_TEMP, MAC_DESTROY_VNODE, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_CREATE_DEVFS_DEVICE, MAC_CREATE_DEVFS_DIRECTORY, MAC_CREATE_DEVFS_VNODE, MAC_CREATE_VNODE, MAC_CREATE_MOUNT, MAC_CREATE_ROOT_MOUNT, MAC_RELABEL_VNODE, MAC_STDCREATEVNODE_EA, MAC_UPDATE_DEVFSDIRENT, MAC_UPDATE_PROCFSVNODE, MAC_UPDATE_VNODE_FROM_EXTATTR, MAC_UPDATE_VNODE_FROM_EXTERNALIZED, MAC_UPDATE_VNODE_FROM_MOUNT, MAC_CREATE_MBUF_FROM_SOCKET, MAC_CREATE_PIPE, MAC_CREATE_SOCKET, MAC_CREATE_SOCKET_FROM_SOCKET, MAC_RELABEL_PIPE, MAC_RELABEL_SOCKET, MAC_SET_SOCKET_PEER_FROM_MBUF, MAC_SET_SOCKET_PEER_FROM_SOCKET, MAC_CREATE_BPFDESC, MAC_CREATE_DATAGRAM_FROM_IPQ, MAC_CREATE_IFNET, MAC_CREATE_IPQ, MAC_CREATE_FRAGMENT, MAC_CREATE_MBUF_FROM_MBUF, MAC_CREATE_MBUF_LINKLAYER, MAC_CREATE_MBUF_FROM_BPFDESC, MAC_CREATE_MBUF_FROM_IFNET, MAC_CREATE_MBUF_MULTICAST_ENCAP, MAC_CREATE_MBUF_NETLAYER, MAC_FRAGMENT_MATCH, MAC_RELABEL_IFNET, MAC_UPDATE_IPQ, MAC_CREATE_CRED, MAC_EXECVE_TRANSITION, MAC_EXECVE_WILL_TRANSITION, MAC_CREATE_PROC0, MAC_CREATE_PROC1, MAC_RELABEL_CRED, MAC_CHECK_BPFDESC_RECEIVE, MAC_CHECK_CRED_RELABEL, MAC_CHECK_CRED_VISIBLE, MAC_CHECK_IFNET_RELABEL, MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, MAC_CHECK_PIPE_OP, MAC_CHECK_PIPE_RELABEL, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, MAC_CHECK_SOCKET_BIND, MAC_CHECK_SOCKET_CONNECT, MAC_CHECK_SOCKET_DELIVER, MAC_CHECK_SOCKET_LISTEN, MAC_CHECK_SOCKET_RELABEL, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, MAC_CHECK_VNODE_CREATE, MAC_CHECK_VNODE_DELETE, MAC_CHECK_VNODE_DELETEACL, MAC_CHECK_VNODE_EXEC, MAC_CHECK_VNODE_GETACL, MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, MAC_CHECK_VNODE_RENAME_FROM, MAC_CHECK_VNODE_RENAME_TO, MAC_CHECK_VNODE_REVOKE, MAC_CHECK_VNODE_SETACL, MAC_CHECK_VNODE_SETEXTATTR, MAC_CHECK_VNODE_SETFLAGS, MAC_CHECK_VNODE_SETMODE, MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry { enum mac_op_constant mpe_constant; /* what this hook implements */ macop_t mpe_function; /* hook's implementation */ }; struct mac_policy_conf { char *mpc_name; /* policy name */ char *mpc_fullname; /* policy full name */ struct mac_policy_ops *mpc_ops; /* policy operations */ struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ int mpc_loadtime_flags; /* flags */ int *mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; /* Flags for the mpc_loadtime_flags field. */ #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 #define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ #mpname, \ mpfullname, \ NULL, \ mpents, \ mpflags, \ privdata_wanted, \ 0, \ }; \ static moduledata_t mpname##_mod = { \ #mpname, \ mac_policy_modevent, \ &mpname##_mac_policy_conf \ }; \ MODULE_DEPEND(mpname, kernel_mac_support, 1, 1, 1); \ DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ SI_ORDER_MIDDLE) int mac_policy_modevent(module_t mod, int type, void *data); #define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] #endif /* !_SYS_MAC_POLICY_H */ Index: head/sys/security/mac/mac_process.c =================================================================== --- head/sys/security/mac/mac_process.c (revision 102111) +++ head/sys/security/mac/mac_process.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_syscalls.c =================================================================== --- head/sys/security/mac/mac_syscalls.c (revision 102111) +++ head/sys/security/mac/mac_syscalls.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_system.c =================================================================== --- head/sys/security/mac/mac_system.c (revision 102111) +++ head/sys/security/mac/mac_system.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac/mac_vfs.c =================================================================== --- head/sys/security/mac/mac_vfs.c (revision 102111) +++ head/sys/security/mac/mac_vfs.c (revision 102112) @@ -1,3174 +1,3221 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * * Framework for extensible kernel access control. Kernel and userland * interface to the framework, policy registration and composition. */ #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MAC /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, * even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, 1); SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static int mac_debug_label_fallback = 0; SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); #ifndef MAC_MAX_POLICIES #define MAC_MAX_POLICIES 8 #endif #if MAC_MAX_POLICIES > 32 #error "MAC_MAX_POLICIES too large" #endif static unsigned int mac_max_policies = MAC_MAX_POLICIES; static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, &mac_max_policies, 0, ""); static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); static int mac_vnode_label_cache_hits = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs, nmacpipes; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', * the linked list of attached policy modules. Read-only consumers of * the list must acquire a shared lock for the duration of their use; * writers must acquire an exclusive lock. Note that for compound * operations, locks should be held for the entire compound operation, * and that this is not yet done for relabel requests. */ static struct mtx mac_policy_list_lock; static LIST_HEAD(, mac_policy_conf) mac_policy_list; static int mac_policy_list_busy; #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ "mac_policy_list_lock", NULL, MTX_DEF); #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); #define MAC_POLICY_LIST_BUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy++; \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) #define MAC_POLICY_LIST_UNBUSY() do { \ MAC_POLICY_LIST_LOCK(); \ mac_policy_list_busy--; \ if (mac_policy_list_busy < 0) \ panic("Extra mac_policy_list_busy--"); \ MAC_POLICY_LIST_UNLOCK(); \ } while (0) /* * MAC_CHECK performs the designated check by walking the policy * module list and checking with each as to how it feels about the * request. Note that it returns its value via 'error' in the scope * of the caller. */ #define MAC_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it * returns its value via 'result' in the scope of the caller, which * should be initialized by the caller in a meaningful way to get * a meaningful result. */ #define MAC_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. */ #define MAC_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ MAC_POLICY_LIST_BUSY(); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ MAC_POLICY_LIST_UNBUSY(); \ } while (0) /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_policy_list); MAC_POLICY_LIST_LOCKINIT(); } /* * For the purposes of modules that want to know if they were loaded * "early", set the mac_late flag once we've processed modules either * linked into the kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: break; } return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; struct mac_policy_ops *ops; struct mac_policy_op_entry *mpe; int slot; MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, M_WAITOK | M_ZERO); for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { switch (mpe->mpe_constant) { case MAC_OP_LAST: /* * Doesn't actually happen, but this allows checking * that all enumerated values are handled. */ break; case MAC_DESTROY: mpc->mpc_ops->mpo_destroy = mpe->mpe_function; break; case MAC_INIT: mpc->mpc_ops->mpo_init = mpe->mpe_function; break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; break; case MAC_INIT_CRED: mpc->mpc_ops->mpo_init_cred = mpe->mpe_function; break; case MAC_INIT_DEVFSDIRENT: mpc->mpc_ops->mpo_init_devfsdirent = mpe->mpe_function; break; case MAC_INIT_IFNET: mpc->mpc_ops->mpo_init_ifnet = mpe->mpe_function; break; case MAC_INIT_IPQ: mpc->mpc_ops->mpo_init_ipq = mpe->mpe_function; break; case MAC_INIT_MBUF: mpc->mpc_ops->mpo_init_mbuf = mpe->mpe_function; break; case MAC_INIT_MOUNT: mpc->mpc_ops->mpo_init_mount = mpe->mpe_function; break; case MAC_INIT_PIPE: mpc->mpc_ops->mpo_init_pipe = mpe->mpe_function; break; case MAC_INIT_SOCKET: mpc->mpc_ops->mpo_init_socket = mpe->mpe_function; break; case MAC_INIT_TEMP: mpc->mpc_ops->mpo_init_temp = mpe->mpe_function; break; case MAC_INIT_VNODE: mpc->mpc_ops->mpo_init_vnode = mpe->mpe_function; break; case MAC_DESTROY_BPFDESC: mpc->mpc_ops->mpo_destroy_bpfdesc = mpe->mpe_function; break; case MAC_DESTROY_CRED: mpc->mpc_ops->mpo_destroy_cred = mpe->mpe_function; break; case MAC_DESTROY_DEVFSDIRENT: mpc->mpc_ops->mpo_destroy_devfsdirent = mpe->mpe_function; break; case MAC_DESTROY_IFNET: mpc->mpc_ops->mpo_destroy_ifnet = mpe->mpe_function; break; case MAC_DESTROY_IPQ: mpc->mpc_ops->mpo_destroy_ipq = mpe->mpe_function; break; case MAC_DESTROY_MBUF: mpc->mpc_ops->mpo_destroy_mbuf = mpe->mpe_function; break; case MAC_DESTROY_MOUNT: mpc->mpc_ops->mpo_destroy_mount = mpe->mpe_function; break; case MAC_DESTROY_PIPE: mpc->mpc_ops->mpo_destroy_pipe = mpe->mpe_function; break; case MAC_DESTROY_SOCKET: mpc->mpc_ops->mpo_destroy_socket = mpe->mpe_function; break; case MAC_DESTROY_TEMP: mpc->mpc_ops->mpo_destroy_temp = mpe->mpe_function; break; case MAC_DESTROY_VNODE: mpc->mpc_ops->mpo_destroy_vnode = mpe->mpe_function; break; case MAC_EXTERNALIZE: mpc->mpc_ops->mpo_externalize = mpe->mpe_function; break; case MAC_INTERNALIZE: mpc->mpc_ops->mpo_internalize = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DEVICE: mpc->mpc_ops->mpo_create_devfs_device = mpe->mpe_function; break; case MAC_CREATE_DEVFS_DIRECTORY: mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; break; case MAC_STDCREATEVNODE_EA: mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; case MAC_CREATE_VNODE: mpc->mpc_ops->mpo_create_vnode = mpe->mpe_function; break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; break; case MAC_CREATE_ROOT_MOUNT: mpc->mpc_ops->mpo_create_root_mount = mpe->mpe_function; break; case MAC_RELABEL_VNODE: mpc->mpc_ops->mpo_relabel_vnode = mpe->mpe_function; break; case MAC_UPDATE_DEVFSDIRENT: mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; case MAC_UPDATE_PROCFSVNODE: mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTATTR: mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; case MAC_UPDATE_VNODE_FROM_MOUNT: mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: mpc->mpc_ops->mpo_create_mbuf_from_socket = mpe->mpe_function; break; case MAC_CREATE_PIPE: mpc->mpc_ops->mpo_create_pipe = mpe->mpe_function; break; case MAC_CREATE_SOCKET: mpc->mpc_ops->mpo_create_socket = mpe->mpe_function; break; case MAC_CREATE_SOCKET_FROM_SOCKET: mpc->mpc_ops->mpo_create_socket_from_socket = mpe->mpe_function; break; case MAC_RELABEL_PIPE: mpc->mpc_ops->mpo_relabel_pipe = mpe->mpe_function; break; case MAC_RELABEL_SOCKET: mpc->mpc_ops->mpo_relabel_socket = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_MBUF: mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = mpe->mpe_function; break; case MAC_SET_SOCKET_PEER_FROM_SOCKET: mpc->mpc_ops->mpo_set_socket_peer_from_socket = mpe->mpe_function; break; case MAC_CREATE_BPFDESC: mpc->mpc_ops->mpo_create_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_DATAGRAM_FROM_IPQ: mpc->mpc_ops->mpo_create_datagram_from_ipq = mpe->mpe_function; break; case MAC_CREATE_FRAGMENT: mpc->mpc_ops->mpo_create_fragment = mpe->mpe_function; break; case MAC_CREATE_IFNET: mpc->mpc_ops->mpo_create_ifnet = mpe->mpe_function; break; case MAC_CREATE_IPQ: mpc->mpc_ops->mpo_create_ipq = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_MBUF: mpc->mpc_ops->mpo_create_mbuf_from_mbuf = mpe->mpe_function; break; case MAC_CREATE_MBUF_LINKLAYER: mpc->mpc_ops->mpo_create_mbuf_linklayer = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_BPFDESC: mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_IFNET: mpc->mpc_ops->mpo_create_mbuf_from_ifnet = mpe->mpe_function; break; case MAC_CREATE_MBUF_MULTICAST_ENCAP: mpc->mpc_ops->mpo_create_mbuf_multicast_encap = mpe->mpe_function; break; case MAC_CREATE_MBUF_NETLAYER: mpc->mpc_ops->mpo_create_mbuf_netlayer = mpe->mpe_function; break; case MAC_FRAGMENT_MATCH: mpc->mpc_ops->mpo_fragment_match = mpe->mpe_function; break; case MAC_RELABEL_IFNET: mpc->mpc_ops->mpo_relabel_ifnet = mpe->mpe_function; break; case MAC_UPDATE_IPQ: mpc->mpc_ops->mpo_update_ipq = mpe->mpe_function; break; case MAC_CREATE_CRED: mpc->mpc_ops->mpo_create_cred = mpe->mpe_function; break; case MAC_EXECVE_TRANSITION: mpc->mpc_ops->mpo_execve_transition = mpe->mpe_function; break; case MAC_EXECVE_WILL_TRANSITION: mpc->mpc_ops->mpo_execve_will_transition = mpe->mpe_function; break; case MAC_CREATE_PROC0: mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; break; case MAC_CREATE_PROC1: mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; break; case MAC_RELABEL_CRED: mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; case MAC_CHECK_CRED_RELABEL: mpc->mpc_ops->mpo_check_cred_relabel = mpe->mpe_function; break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; case MAC_CHECK_IFNET_RELABEL: mpc->mpc_ops->mpo_check_ifnet_relabel = mpe->mpe_function; break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; case MAC_CHECK_PIPE_IOCTL: mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; case MAC_CHECK_PIPE_OP: mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; break; case MAC_CHECK_PROC_SCHED: mpc->mpc_ops->mpo_check_proc_sched = mpe->mpe_function; break; case MAC_CHECK_PROC_SIGNAL: mpc->mpc_ops->mpo_check_proc_signal = mpe->mpe_function; break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; break; case MAC_CHECK_SOCKET_CONNECT: mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; case MAC_CHECK_SOCKET_DELIVER: mpc->mpc_ops->mpo_check_socket_deliver = mpe->mpe_function; break; case MAC_CHECK_SOCKET_LISTEN: mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHDIR: mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_CHROOT: mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; case MAC_CHECK_VNODE_CREATE: mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETE: mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; case MAC_CHECK_VNODE_DELETEACL: mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_EXEC: mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETACL: mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_GETEXTATTR: mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; case MAC_CHECK_VNODE_READLINK: mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; case MAC_CHECK_VNODE_RELABEL: mpc->mpc_ops->mpo_check_vnode_relabel = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; case MAC_CHECK_VNODE_RENAME_TO: mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; case MAC_CHECK_VNODE_REVOKE: mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETACL: mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETEXTATTR: mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETFLAGS: mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETMODE: mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETOWNER: mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; case MAC_CHECK_VNODE_SETUTIMES: mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; case MAC_CHECK_VNODE_STAT: mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", mpc->mpc_name, mpe->mpe_constant); return (EINVAL); */ } } MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EBUSY); } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (EEXIST); } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_policy_offsets_free); if (slot == 0) { MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; return (ENOMEM); } slot--; mac_policy_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); MAC_POLICY_LIST_UNLOCK(); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) return (EBUSY); #endif if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) return (EBUSY); MAC_POLICY_LIST_LOCK(); if (mac_policy_list_busy > 0) { MAC_POLICY_LIST_UNLOCK(); return (EBUSY); } if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); MAC_POLICY_LIST_UNLOCK(); FREE(mpc->mpc_ops, M_MACOPVEC); mpc->mpc_ops = NULL; printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ static int error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); } void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } /* * Support callout for policies that manage their own externalization * using extended attributes. */ static int mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, &mp->mnt_fslabel); return (error); } /* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ static int mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) { int error; MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } /* * Call out to individual policies to update the label in a vnode from * the mountpoint. */ void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, &mp->mnt_fslabel); ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); if (mac_cache_fslabel_in_vnode) vp->v_vflag |= VV_CACHEDLABEL; } /* * Implementation of VOP_REFRESHLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { struct vnode *vp = ap->a_vp; struct mac extmac; int buflen, error; ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); /* * Call out to external policies first. Order doesn't really * matter, as long as failure of one assures failure of all. */ error = mac_update_vnode_from_extattr(vp, vp->v_mount); if (error) return (error); buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, (char *)&extmac, curthread); switch (error) { case 0: /* Got it */ break; case ENOATTR: /* * Use the label from the mount point. */ mac_update_vnode_from_mount(vp, vp->v_mount); return (0); case EOPNOTSUPP: default: /* Fail horribly. */ return (error); } if (buflen != sizeof(extmac)) error = EPERM; /* Fail very closed. */ if (error == 0) error = mac_update_vnode_from_externalized(vp, &extmac); if (error == 0) vp->v_vflag |= VV_CACHEDLABEL; else { struct vattr va; printf("Corrupted label on %s", vp->v_mount->mnt_stat.f_mntonname); if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) printf(" inum %ld", va.va_fileid); if (mac_debug_label_fallback) { printf(", falling back.\n"); mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; } else { printf(".\n"); error = EPERM; } } return (error); } /* * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle * the labeling activity outselves. Filesystems should be careful not * to change their minds regarding whether they support vop_refreshlabel() * for a vnode or not. Don't cache the vnode here, allow the file * system code to determine if it's safe to cache. If we update from * the mount, don't cache since a change to the mount label should affect * all vnodes. */ static int vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); if (vp->v_mount == NULL) { /* Eventually, we probably want to special-case refreshing of deadfs vnodes, and if there's a lock-free race somewhere, that case might be handled here. mac_update_vnode_deadfs(vp); return (0); */ /* printf("vn_refreshlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf( "vn_refreshlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if (vp->v_vflag & VV_CACHEDLABEL) { mac_vnode_label_cache_hits++; return (0); } else mac_vnode_label_cache_misses++; if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(vp, vp->v_mount); return (0); } error = VOP_REFRESHLABEL(vp, cred, curthread); switch (error) { case EOPNOTSUPP: /* * If labels are not supported on this vnode, fall back to * the label in the mount and propagate it to the vnode. * There should probably be some sort of policy/flag/decision * about doing this. */ mac_update_vnode_from_mount(vp, vp->v_mount); error = 0; default: return (error); } } /* * Helper function for file systems using the vop_std*_ea() calls. This * function must be called after EA service is available for the vnode, * but before it's hooked up to the namespace so that the node persists * if there's a crash, or before it can be accessed. On successful * commit of the label to disk (etc), do cache the label. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) { struct mac extmac; int error; ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { mac_update_vnode_from_mount(tvp, tvp->v_mount); } else { error = vn_refreshlabel(dvp, cred); if (error) return (error); /* * Stick the label in the vnode. Then try to write to * disk. If we fail, return a failure to abort the * create operation. Really, this failure shouldn't * happen except in fairly unusual circumstances (out * of disk, etc). */ mac_create_vnode(cred, dvp, tvp); error = mac_stdcreatevnode_ea(tvp); if (error) return (error); /* * XXX: Eventually this will go away and all policies will * directly manage their extended attributes. */ error = mac_externalize(&tvp->v_label, &extmac); if (error) return (error); error = vn_extattr_set(tvp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error == 0) tvp->v_vflag |= VV_CACHEDLABEL; else { #if 0 /* * In theory, we could have fall-back behavior here. * It would probably be incorrect. */ #endif return (error); } } return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); error = vn_refreshlabel(vp, old); if (error) { printf("mac_execve_transition: vn_refreshlabel returned %d\n", error); printf("mac_execve_transition: using old vnode label\n"); } MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { int error, result; error = vn_refreshlabel(vp, old); if (error) return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); return (result); } static void mac_init_label(struct label *label) { bzero(label, sizeof(*label)); label->l_flags = MAC_FLAG_INITIALIZED; } static void mac_init_structmac(struct mac *mac) { bzero(mac, sizeof(*mac)); mac->m_macflags = MAC_FLAG_INITIALIZED; } static void mac_destroy_label(struct label *label) { KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, ("destroying uninitialized label")); bzero(label, sizeof(*label)); /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } int mac_init_mbuf(struct mbuf *m, int how) { KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); /* "how" is one of M_(TRY|DONT)WAIT */ mac_init_label(&m->m_pkthdr.label); MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_add_int(&nmacmbufs, 1); #endif return (0); } void mac_destroy_mbuf(struct mbuf *m) { MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmbufs, 1); #endif } void mac_init_cred(struct ucred *cr) { mac_init_label(&cr->cr_label); MAC_PERFORM(init_cred, cr, &cr->cr_label); #ifdef MAC_DEBUG atomic_add_int(&nmaccreds, 1); #endif } void mac_destroy_cred(struct ucred *cr) { MAC_PERFORM(destroy_cred, cr, &cr->cr_label); mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmaccreds, 1); #endif } void mac_init_ifnet(struct ifnet *ifp) { mac_init_label(&ifp->if_label); MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); #ifdef MAC_DEBUG atomic_add_int(&nmacifnets, 1); #endif } void mac_destroy_ifnet(struct ifnet *ifp) { MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacifnets, 1); #endif } void mac_init_ipq(struct ipq *ipq) { mac_init_label(&ipq->ipq_label); MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); #ifdef MAC_DEBUG atomic_add_int(&nmacipqs, 1); #endif } void mac_destroy_ipq(struct ipq *ipq) { MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacipqs, 1); #endif } void mac_init_socket(struct socket *socket) { mac_init_label(&socket->so_label); mac_init_label(&socket->so_peerlabel); MAC_PERFORM(init_socket, socket, &socket->so_label, &socket->so_peerlabel); #ifdef MAC_DEBUG atomic_add_int(&nmacsockets, 1); #endif } void mac_destroy_socket(struct socket *socket) { MAC_PERFORM(destroy_socket, socket, &socket->so_label, &socket->so_peerlabel); mac_destroy_label(&socket->so_label); mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } void mac_init_pipe(struct pipe *pipe) { struct label *label; label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); mac_init_label(label); pipe->pipe_label = label; pipe->pipe_peer->pipe_label = label; MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); #ifdef MAC_DEBUG atomic_add_int(&nmacpipes, 1); #endif } void mac_destroy_pipe(struct pipe *pipe) { MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); mac_destroy_label(pipe->pipe_label); free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG atomic_subtract_int(&nmacpipes, 1); #endif } void mac_init_bpfdesc(struct bpf_d *bpf_d) { mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); #ifdef MAC_DEBUG atomic_add_int(&nmacbpfdescs, 1); #endif } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacbpfdescs, 1); #endif } void mac_init_mount(struct mount *mp) { mac_init_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); #ifdef MAC_DEBUG atomic_add_int(&nmacmounts, 1); #endif } void mac_destroy_mount(struct mount *mp) { MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG atomic_subtract_int(&nmacmounts, 1); #endif } static void mac_init_temp(struct label *label) { mac_init_label(label); MAC_PERFORM(init_temp, label); #ifdef MAC_DEBUG atomic_add_int(&nmactemp, 1); #endif } static void mac_destroy_temp(struct label *label) { MAC_PERFORM(destroy_temp, label); mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmactemp, 1); #endif } void mac_init_vnode(struct vnode *vp) { mac_init_label(&vp->v_label); MAC_PERFORM(init_vnode, vp, &vp->v_label); #ifdef MAC_DEBUG atomic_add_int(&nmacvnodes, 1); #endif } void mac_destroy_vnode(struct vnode *vp) { MAC_PERFORM(destroy_vnode, vp, &vp->v_label); mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacvnodes, 1); #endif } void mac_init_devfsdirent(struct devfs_dirent *de) { mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent, de, &de->de_label); #ifdef MAC_DEBUG atomic_add_int(&nmacdevfsdirents, 1); #endif } void mac_destroy_devfsdirent(struct devfs_dirent *de) { MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacdevfsdirents, 1); #endif } static int mac_externalize(struct label *label, struct mac *mac) { int error; mac_init_structmac(mac); MAC_CHECK(externalize, label, mac); return (error); } static int mac_internalize(struct label *label, struct mac *mac) { int error; mac_init_temp(label); MAC_CHECK(internalize, label, mac); if (error) mac_destroy_temp(label); return (error); } /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. */ void mac_create_proc0(struct ucred *cred) { MAC_PERFORM(create_proc0, cred); } /* * Initialize MAC label for the first userland process, from which other * userland processes and threads are spawned. */ void mac_create_proc1(struct ucred *cred) { MAC_PERFORM(create_proc1, cred); } /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible * deltas. This function allows that processing to take place. */ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { MAC_PERFORM(create_cred, parent_cred, child_cred); } int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } static int mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); } int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(dvp, cred); if (error) return (error); if (vp != NULL) { error = vn_refreshlabel(vp, cred); if (error) return (error); } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } + +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its * memory space, and revoke access (in the least surprising ways we * know) when necessary. The process lock is not held here. */ static void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) { /* XXX freeze all other threads */ mtx_lock(&Giant); mac_cred_mmapped_drop_perms_recurse(td, cred, &td->td_proc->p_vmspace->vm_map); mtx_unlock(&Giant); /* XXX allow other threads to continue */ } static __inline const char * prot2str(vm_prot_t prot) { switch (prot & VM_PROT_ALL) { case VM_PROT_READ: return ("r--"); case VM_PROT_READ | VM_PROT_WRITE: return ("rw-"); case VM_PROT_READ | VM_PROT_EXECUTE: return ("r-x"); case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: return ("rwx"); case VM_PROT_WRITE: return ("-w-"); case VM_PROT_EXECUTE: return ("--x"); case VM_PROT_WRITE | VM_PROT_EXECUTE: return ("-wx"); default: return ("---"); } } static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map) { struct vm_map_entry *vme; vm_prot_t result, revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { mac_cred_mmapped_drop_perms_recurse(td, cred, vme->object.sub_map); continue; } /* * Skip over entries that obviously are not shared. */ if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || !vme->max_protection) continue; /* * Drill down to the deepest backing object. */ offset = vme->offset; object = vme->object.vm_object; if (object == NULL) continue; while (object->backing_object != NULL) { object = object->backing_object; offset += object->backing_object_offset; } /* * At the moment, vm_maps and objects aren't considered * by the MAC system, so only things with backing by a * normal object (read: vnodes) are checked. */ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing * now but a policy needs to get removed. */ revokeperms = vme->max_protection & ~result; if (!revokeperms) continue; printf("pid %d: revoking %s perms from %#lx:%d " "(max %s/cur %s)\n", td->td_proc->p_pid, prot2str(revokeperms), vme->start, vme->end - vme->start, prot2str(vme->max_protection), prot2str(vme->protection)); vm_map_lock_upgrade(map); /* * This is the really simple case: if a map has more * max_protection than is allowed, but it's not being * actually used (that is, the current protection is * still allowed), we can just wipe it out and do * nothing more. */ if ((vme->protection & revokeperms) == 0) { vme->max_protection -= revokeperms; } else { if (revokeperms & VM_PROT_WRITE) { /* * In the more complicated case, flush out all * pending changes to the object then turn it * copy-on-write. */ vm_object_reference(object); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); vm_object_page_clean(object, OFF_TO_IDX(offset), OFF_TO_IDX(offset + vme->end - vme->start + PAGE_MASK), OBJPC_SYNC); VOP_UNLOCK(vp, 0, td); vm_object_deallocate(object); /* * Why bother if there's no read permissions * anymore? For the rest, we need to leave * the write permissions on for COW, or * remove them entirely if configured to. */ if (!mac_mmap_revocation_via_cow) { vme->max_protection &= ~VM_PROT_WRITE; vme->protection &= ~VM_PROT_WRITE; } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } if (revokeperms & VM_PROT_EXECUTE) { vme->max_protection &= ~VM_PROT_EXECUTE; vme->protection &= ~VM_PROT_EXECUTE; } if (revokeperms & VM_PROT_READ) { vme->max_protection = 0; vme->protection = 0; } pmap_protect(map->pmap, vme->start, vme->end, vme->protection & ~revokeperms); vm_map_simplify_entry(map, vme); } vm_map_lock_downgrade(map); } vm_map_unlock_read(map); } /* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ static void mac_relabel_cred(struct ucred *cred, struct label *newlabel) { MAC_PERFORM(relabel_cred, cred, newlabel); mac_cred_mmapped_drop_perms(curthread, cred); } void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); } void mac_create_ifnet(struct ifnet *ifnet) { MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { MAC_PERFORM(create_socket, cred, socket, &socket->so_label); } void mac_create_pipe(struct ucred *cred, struct pipe *pipe) { MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); } void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_label); } static void mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } static void mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); } void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, socket, &socket->so_peerlabel); } void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket) { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); } void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) { MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, datagram, &datagram->m_pkthdr.label); } void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) { MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, fragment, &fragment->m_pkthdr.label); } void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, &newmbuf->m_pkthdr.label); } void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) { MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, newmbuf, &newmbuf->m_pkthdr.label); } int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) { int result; result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); return (result); } void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) { MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, &ipq->ipq_label); } void mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) { MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); } void mac_create_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); } int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; if (!mac_enforce_network) return (0); MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); return (error); } static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(check_cred_relabel, cred, newlabel); return (error); } int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; if (!mac_enforce_process) return (0); MAC_CHECK(check_cred_visible, u1, u2); return (error); } int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) { int error; if (!mac_enforce_network) return (0); KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) printf("%s%d: not initialized\n", ifnet->if_name, ifnet->if_unit); MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; if (!mac_enforce_fs) return (0); MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); return (error); } int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data) { int error; MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); } int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { int error; MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); return (error); } static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) { int error; MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); } int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_debug, cred, proc); return (error); } int mac_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_sched, cred, proc); return (error); } int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); if (!mac_enforce_process) return (0); MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); } int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); } int mac_check_socket_listen(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); return (error); } static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) { int error; MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, newlabel); return (error); } int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; if (!mac_enforce_socket) return (0); MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac label; int error; error = mac_externalize(&ifnet->if_label, &label); if (error) return (error); return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); } int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { struct mac newlabel; struct label intlabel; int error; error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); if (error) return (error); error = mac_internalize(&intlabel, &newlabel); if (error) return (error); /* * XXX: Note that this is a redundant privilege check, since * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ error = suser_cred(cred, 0); if (error) goto out; MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); out: mac_destroy_temp(&intlabel); return (error); } void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) { MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); } void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } static int mac_stdcreatevnode_ea(struct vnode *vp) { int error; MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); return (error); } void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, &de->de_label); } /* * When a new vnode is created, this call will initialize its label. */ void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); error = vn_refreshlabel(parent, cred); if (error) { printf("mac_create_vnode: vn_refreshlabel returned %d\n", error); printf("mac_create_vnode: using old vnode label\n"); } MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac) { struct label intlabel; int error; error = mac_internalize(&intlabel, extmac); if (error) return (error); mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); } mac_relabel_socket(cred, so, &intlabel); mac_destroy_temp(&intlabel); return (0); } int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); mac_relabel_pipe(cred, pipe, label); return (0); } int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_label, extmac)); } int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac) { return (mac_externalize(&so->so_peerlabel, extmac)); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes * to store label data. Can be referenced by filesystems supporting * extended attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; struct mac extmac; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); /* * XXX: Eventually call out to EA check/set calls here. * Be particularly careful to avoid race conditions, * consistency problems, and stability problems when * dealing with multiple EAs. In particular, we require * the ability to write multiple EAs on the same file in * a single transaction, which the current EA interface * does not provide. */ error = mac_externalize(intlabel, &extmac); if (error) return (error); error = vn_extattr_set(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, sizeof(extmac), (char *)&extmac, curthread); if (error) return (error); mac_relabel_vnode(ap->a_cred, vp, intlabel); vp->v_vflag |= VV_CACHEDLABEL; return (0); } static int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_tag != VT_NON) printf("vn_setlabel: null v_mount with non-VT_NON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels * and protections on files. This might not be right. We can't * assume VOP_SETLABEL() will do it, because we might implement * that as part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } /* * MPSAFE */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { struct mac extmac; int error; error = mac_externalize(&td->td_ucred->cr_label, &extmac); if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); return (error); } /* * MPSAFE * * XXX: Needs to be re-written for proc locking. */ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; struct proc *p; struct mac extmac; struct label intlabel; int error; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) return (error); error = mac_internalize(&intlabel, &extmac); if (error) return (error); newcred = crget(); p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); crfree(newcred); return (error); } setsugid(p); crcopy(newcred, oldcred); PROC_UNLOCK(p); mac_relabel_cred(newcred, &intlabel); PROC_LOCK(p); p->p_ucred = newcred; PROC_UNLOCK(p); crfree(oldcred); mac_destroy_temp(&intlabel); return (0); } /* * MPSAFE */ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { struct file *fp; struct mac extmac; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_refreshlabel(vp, td->td_ucred); if (error == 0) error = mac_externalize(&vp->v_label, &extmac); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_externalize(pipe->pipe_label, &extmac); break; default: error = EINVAL; } if (error == 0) error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); fdrop(fp, td); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; struct mac extmac; int error; mtx_lock(&Giant); NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out; error = vn_refreshlabel(nd.ni_vp, td->td_ucred); if (error == 0) error = mac_externalize(&nd.ni_vp->v_label, &extmac); NDFREE(&nd, 0); if (error) goto out; error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); out: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct file *fp; struct mac extmac; struct label intlabel; struct mount *mp; struct vnode *vp; struct pipe *pipe; int error; mtx_lock(&Giant); error = fget(td, SCARG(uap, fd), &fp); if (error) goto out1; error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out2; error = mac_internalize(&intlabel, &extmac); if (error) goto out2; switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) break; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); error = vn_setlabel(vp, &intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); mac_destroy_temp(&intlabel); break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); break; default: error = EINVAL; } out2: fdrop(fp, td); out1: mtx_unlock(&Giant); return (error); } /* * MPSAFE */ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { struct nameidata nd; struct mac extmac; struct label intlabel; struct mount *mp; int error; mtx_lock(&Giant); error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); if (error) goto out; error = mac_internalize(&intlabel, &extmac); if (error) goto out; NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, SCARG(uap, path_p), td); error = namei(&nd); if (error) goto out2; error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error) goto out2; error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); vn_finished_write(mp); out2: mac_destroy_temp(&intlabel); NDFREE(&nd, 0); out: mtx_unlock(&Giant); return (error); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ int __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) { return (ENOSYS); } int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { return (ENOSYS); } int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { return (ENOSYS); } int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { return (ENOSYS); } int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { return (ENOSYS); } int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { return (ENOSYS); } #endif /* !MAC */ Index: head/sys/security/mac_biba/mac_biba.c =================================================================== --- head/sys/security/mac_biba/mac_biba.c (revision 102111) +++ head/sys/security/mac_biba/mac_biba.c (revision 102112) @@ -1,2226 +1,2254 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * Biba fixed label mandatory integrity policy. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0, "TrustedBSD mac_biba policy controls"); static int mac_biba_enabled = 0; SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &mac_biba_enabled, 0, "Enforce MAC/Biba policy"); static int destroyed_not_inited; SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); static int trust_all_interfaces = 0; SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD, &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba"); TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces); static char trusted_interfaces[128]; SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD, trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba"); TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, sizeof(trusted_interfaces)); static int mac_biba_revocation_enabled = 0; SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel"); TUNABLE_INT("security.mac.biba.revocation_enabled", &mac_biba_revocation_enabled); static int mac_biba_slot; #define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr) MALLOC_DEFINE(M_MACBIBA, "biba label", "MAC/Biba labels"); static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode); static struct mac_biba * biba_alloc(int how) { struct mac_biba *mac_biba; mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how); return (mac_biba); } static void biba_free(struct mac_biba *mac_biba) { if (mac_biba != NULL) free(mac_biba, M_MACBIBA); else atomic_add_int(&destroyed_not_inited, 1); } static int mac_biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b) { switch(a->mbe_type) { case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_HIGH: return (1); case MAC_BIBA_TYPE_LOW: switch (b->mbe_type) { case MAC_BIBA_TYPE_GRADE: case MAC_BIBA_TYPE_HIGH: return (0); case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_LOW: return (1); default: panic("mac_biba_dominate_element: b->mbe_type invalid"); } case MAC_BIBA_TYPE_GRADE: switch (b->mbe_type) { case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_LOW: return (1); case MAC_BIBA_TYPE_HIGH: return (0); case MAC_BIBA_TYPE_GRADE: return (a->mbe_grade >= b->mbe_grade); default: panic("mac_biba_dominate_element: b->mbe_type invalid"); } default: panic("mac_biba_dominate_element: a->mbe_type invalid"); } return (0); } static int mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb) { return (mac_biba_dominate_element(&rangeb->mb_rangehigh, &rangea->mb_rangehigh) && mac_biba_dominate_element(&rangea->mb_rangelow, &rangeb->mb_rangelow)); } static int mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range) { KASSERT((single->mb_flag & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_single_in_range: a not single")); KASSERT((range->mb_flag & MAC_BIBA_FLAG_RANGE) != 0, ("mac_biba_single_in_range: b not range")); return (mac_biba_dominate_element(&range->mb_rangehigh, &single->mb_single) && mac_biba_dominate_element(&single->mb_single, &range->mb_rangelow)); return (1); } static int mac_biba_dominate_single(struct mac_biba *a, struct mac_biba *b) { KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_dominate_single: a not single")); KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_dominate_single: b not single")); return (mac_biba_dominate_element(&a->mb_single, &b->mb_single)); } static int mac_biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b) { if (a->mbe_type == MAC_BIBA_TYPE_EQUAL || b->mbe_type == MAC_BIBA_TYPE_EQUAL) return (1); return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade); } static int mac_biba_equal_range(struct mac_biba *a, struct mac_biba *b) { KASSERT((a->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, ("mac_biba_equal_range: a not range")); KASSERT((b->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, ("mac_biba_equal_range: b not range")); return (mac_biba_equal_element(&a->mb_rangelow, &b->mb_rangelow) && mac_biba_equal_element(&a->mb_rangehigh, &b->mb_rangehigh)); } static int mac_biba_equal_single(struct mac_biba *a, struct mac_biba *b) { KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_equal_single: a not single")); KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_equal_single: b not single")); return (mac_biba_equal_element(&a->mb_single, &b->mb_single)); } static int mac_biba_high_single(struct mac_biba *mac_biba) { return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH); } static int mac_biba_valid(struct mac_biba *mac_biba) { if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) { switch (mac_biba->mb_single.mbe_type) { case MAC_BIBA_TYPE_GRADE: break; case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_HIGH: case MAC_BIBA_TYPE_LOW: if (mac_biba->mb_single.mbe_grade != 0) return (EINVAL); break; default: return (EINVAL); } } else { if (mac_biba->mb_single.mbe_type != MAC_BIBA_TYPE_UNDEF) return (EINVAL); } if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) { switch (mac_biba->mb_rangelow.mbe_type) { case MAC_BIBA_TYPE_GRADE: break; case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_HIGH: case MAC_BIBA_TYPE_LOW: if (mac_biba->mb_rangelow.mbe_grade != 0) return (EINVAL); break; default: return (EINVAL); } switch (mac_biba->mb_rangehigh.mbe_type) { case MAC_BIBA_TYPE_GRADE: break; case MAC_BIBA_TYPE_EQUAL: case MAC_BIBA_TYPE_HIGH: case MAC_BIBA_TYPE_LOW: if (mac_biba->mb_rangehigh.mbe_grade != 0) return (EINVAL); break; default: return (EINVAL); } if (!mac_biba_dominate_element(&mac_biba->mb_rangehigh, &mac_biba->mb_rangelow)) return (EINVAL); } else { if (mac_biba->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF || mac_biba->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF) return (EINVAL); } return (0); } static void mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow, u_short gradelow, u_short typehigh, u_short gradehigh) { mac_biba->mb_rangelow.mbe_type = typelow; mac_biba->mb_rangelow.mbe_grade = gradelow; mac_biba->mb_rangehigh.mbe_type = typehigh; mac_biba->mb_rangehigh.mbe_grade = gradehigh; mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE; } static void mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade) { mac_biba->mb_single.mbe_type = type; mac_biba->mb_single.mbe_grade = grade; mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE; } static void mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto) { KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, ("mac_biba_copy_range: labelfrom not range")); labelto->mb_rangelow = labelfrom->mb_rangelow; labelto->mb_rangehigh = labelfrom->mb_rangehigh; labelto->mb_flags |= MAC_BIBA_FLAG_RANGE; } static void mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto) { KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_copy_single: labelfrom not single")); labelto->mb_single = labelfrom->mb_single; labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; } static void mac_biba_copy_single_to_range(struct mac_biba *labelfrom, struct mac_biba *labelto) { KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, ("mac_biba_copy_single_to_range: labelfrom not single")); labelto->mb_rangelow = labelfrom->mb_single; labelto->mb_rangehigh = labelfrom->mb_single; labelto->mb_flags |= MAC_BIBA_FLAG_RANGE; } /* * Policy module operations. */ static void mac_biba_destroy(struct mac_policy_conf *conf) { } static void mac_biba_init(struct mac_policy_conf *conf) { } /* * Label operations. */ static void mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_cred(struct ucred *ucred, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_ipq(struct ipq *ipq, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static int mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label) { SLOT(label) = biba_alloc(how); if (SLOT(label) == NULL) return (ENOMEM); return (0); } static void mac_biba_init_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { SLOT(mntlabel) = biba_alloc(M_WAITOK); SLOT(fslabel) = biba_alloc(M_WAITOK); } static void mac_biba_init_socket(struct socket *socket, struct label *label, struct label *peerlabel) { SLOT(label) = biba_alloc(M_WAITOK); SLOT(peerlabel) = biba_alloc(M_WAITOK); } static void mac_biba_init_pipe(struct pipe *pipe, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_temp(struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_init_vnode(struct vnode *vp, struct label *label) { SLOT(label) = biba_alloc(M_WAITOK); } static void mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_cred(struct ucred *ucred, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_ipq(struct ipq *ipq, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { biba_free(SLOT(mntlabel)); SLOT(mntlabel) = NULL; biba_free(SLOT(fslabel)); SLOT(fslabel) = NULL; } static void mac_biba_destroy_socket(struct socket *socket, struct label *label, struct label *peerlabel) { biba_free(SLOT(label)); SLOT(label) = NULL; biba_free(SLOT(peerlabel)); SLOT(peerlabel) = NULL; } static void mac_biba_destroy_pipe(struct pipe *pipe, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_temp(struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static void mac_biba_destroy_vnode(struct vnode *vp, struct label *label) { biba_free(SLOT(label)); SLOT(label) = NULL; } static int mac_biba_externalize(struct label *label, struct mac *extmac) { struct mac_biba *mac_biba; mac_biba = SLOT(label); if (mac_biba == NULL) { printf("mac_biba_externalize: NULL pointer\n"); return (0); } extmac->m_biba = *mac_biba; return (0); } static int mac_biba_internalize(struct label *label, struct mac *extmac) { struct mac_biba *mac_biba; int error; mac_biba = SLOT(label); error = mac_biba_valid(mac_biba); if (error) return (error); *mac_biba = extmac->m_biba; return (0); } /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ static void mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_biba *mac_biba; int biba_type; mac_biba = SLOT(label); if (strcmp(dev->si_name, "null") == 0 || strcmp(dev->si_name, "zero") == 0 || strcmp(dev->si_name, "random") == 0 || strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) biba_type = MAC_BIBA_TYPE_EQUAL; else biba_type = MAC_BIBA_TYPE_HIGH; mac_biba_set_single(mac_biba, biba_type, 0); } static void mac_biba_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_biba *mac_biba; mac_biba = SLOT(label); mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0); } static void mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { struct mac_biba *source, *dest; source = SLOT(direntlabel); dest = SLOT(vnodelabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(childlabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(mntlabel); mac_biba_copy_single(source, dest); dest = SLOT(fslabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { struct mac_biba *mac_biba; /* Always mount root as high integrity. */ mac_biba = SLOT(fslabel); mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0); mac_biba = SLOT(mntlabel); mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0); } static void mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { struct mac_biba *source, *dest; source = SLOT(label); dest = SLOT(vnodelabel); mac_biba_copy_single(source, dest); } static void mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { struct mac_biba *source, *dest; source = SLOT(vnodelabel); dest = SLOT(direntlabel); mac_biba_copy_single(source, dest); } static void mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, struct ucred *cred) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(vnodelabel); /* * Only copy the single, not the range, since vnodes only have * a single. */ mac_biba_copy_single(source, dest); } static int mac_biba_update_vnode_from_externalized(struct vnode *vp, struct label *vnodelabel, struct mac *extmac) { struct mac_biba *source, *dest; int error; source = &extmac->m_biba; dest = SLOT(vnodelabel); error = mac_biba_valid(source); if (error) return (error); if ((source->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) return (EINVAL); mac_biba_copy_single(source, dest); return (0); } static void mac_biba_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel) { struct mac_biba *source, *dest; source = SLOT(fslabel); dest = SLOT(vnodelabel); mac_biba_copy_single(source, dest); } /* * Labeling event operations: IPC object. */ static void mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_biba *source, *dest; source = SLOT(socketlabel); dest = SLOT(mbuflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(socketlabel); mac_biba_copy_single(source, dest); mac_biba_copy_single_to_range(source, dest); } static void mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(pipelabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_socket_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { struct mac_biba *source, *dest; source = SLOT(oldsocketlabel); dest = SLOT(newsocketlabel); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } static void mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_biba *source, *dest; source = SLOT(newlabel); dest = SLOT(socketlabel); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } static void mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { struct mac_biba *source, *dest; source = SLOT(newlabel); dest = SLOT(pipelabel); mac_biba_copy_single(source, dest); } static void mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { struct mac_biba *source, *dest; source = SLOT(mbuflabel); dest = SLOT(socketpeerlabel); mac_biba_copy_single(source, dest); } /* * Labeling event operations: network objects. */ static void mac_biba_set_socket_peer_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { struct mac_biba *source, *dest; source = SLOT(oldsocketlabel); dest = SLOT(newsocketpeerlabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { struct mac_biba *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(bpflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { char tifname[IFNAMSIZ], ifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; struct mac_biba *dest; int len, grade; dest = SLOT(ifnetlabel); if (ifnet->if_type == IFT_LOOP) { grade = MAC_BIBA_TYPE_EQUAL; goto set; } if (trust_all_interfaces) { grade = MAC_BIBA_TYPE_HIGH; goto set; } grade = MAC_BIBA_TYPE_LOW; if (trusted_interfaces[0] == '\0' || !strvalid(trusted_interfaces, sizeof(trusted_interfaces))) goto set; for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++) if(*p != ' ' && *p != '\t') *q = *p; snprintf(ifname, IFNAMSIZ, "%s%d", ifnet->if_name, ifnet->if_unit); for (p = q = tiflist;; p++) { if (*p == ',' || *p == '\0') { len = p - q; if (len < IFNAMSIZ) { bzero(tifname, sizeof(tifname)); bcopy(q, tifname, len); if (strcmp(tifname, ifname) == 0) { grade = MAC_BIBA_TYPE_HIGH; break; } } if (*p == '\0') break; q = p + 1; } } set: mac_biba_set_single(dest, grade, 0); mac_biba_set_range(dest, grade, 0, grade, 0); } static void mac_biba_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_biba *source, *dest; source = SLOT(fragmentlabel); dest = SLOT(ipqlabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { struct mac_biba *source, *dest; source = SLOT(ipqlabel); dest = SLOT(datagramlabel); /* Just use the head, since we require them all to match. */ mac_biba_copy_single(source, dest); } static void mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { struct mac_biba *source, *dest; source = SLOT(datagramlabel); dest = SLOT(fragmentlabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_biba *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel) { struct mac_biba *dest; dest = SLOT(mbuflabel); mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0); } static void mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { struct mac_biba *source, *dest; source = SLOT(bpflabel); dest = SLOT(mbuflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_biba *source, *dest; source = SLOT(ifnetlabel); dest = SLOT(mbuflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_biba *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_biba_copy_single(source, dest); } static void mac_biba_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_biba *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_biba_copy_single(source, dest); } static int mac_biba_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_biba *a, *b; a = SLOT(ipqlabel); b = SLOT(fragmentlabel); return (mac_biba_equal_single(a, b)); } static void mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { struct mac_biba *source, *dest; source = SLOT(newlabel); dest = SLOT(ifnetlabel); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } static void mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { /* NOOP: we only accept matching labels, so no need to update */ } /* * Labeling event operations: processes. */ static void mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_biba *source, *dest; source = SLOT(&cred_parent->cr_label); dest = SLOT(&cred_child->cr_label); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } static void mac_biba_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct mac *vnodelabel) { struct mac_biba *source, *dest; source = SLOT(&old->cr_label); dest = SLOT(&new->cr_label); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } static int mac_biba_execve_will_transition(struct ucred *old, struct vnode *vp, struct mac *vnodelabel) { return (0); } static void mac_biba_create_proc0(struct ucred *cred) { struct mac_biba *dest; dest = SLOT(&cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0); } static void mac_biba_create_proc1(struct ucred *cred) { struct mac_biba *dest; dest = SLOT(&cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0); } static void mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; source = SLOT(newlabel); dest = SLOT(&cred->cr_label); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); } /* * Access control checks. */ static int mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { struct mac_biba *a, *b; if (!mac_biba_enabled) return (0); a = SLOT(bpflabel); b = SLOT(ifnetlabel); if (mac_biba_equal_single(a, b)) return (0); return (EACCES); } static int mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *subj, *new; subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) return (EINVAL); /* * XXX: Allow processes with root privilege to set labels outside * their range, so suid things like "su" work. This WILL go away * when we figure out the 'correct' solution... */ if (!suser_cred(cred, 0)) return (0); /* * The new single must be in the old range. */ if (!mac_biba_single_in_range(new, subj)) return (EPERM); /* * The new range must be in the old range. */ if (!mac_biba_range_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&u1->cr_label); obj = SLOT(&u2->cr_label); /* XXX: range */ if (!mac_biba_dominate_single(obj, subj)) return (ESRCH); return (0); } static int mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { struct mac_biba *subj, *new; subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) return (EINVAL); /* * XXX: Only Biba HIGH subjects may relabel interfaces. */ if (!mac_biba_high_single(subj)) return (EPERM); return (suser_cred(cred, 0)); } static int mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_biba *p, *i; if (!mac_biba_enabled) return (0); p = SLOT(mbuflabel); i = SLOT(ifnetlabel); return (mac_biba_single_in_range(p, i) ? 0 : EACCES); } static int mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(mntlabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { if(!mac_biba_enabled) return (0); /* XXX: This will be implemented soon... */ return (0); } static int mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); switch(op) { case MAC_OP_PIPE_READ: case MAC_OP_PIPE_STAT: case MAC_OP_PIPE_POLL: if (!mac_biba_dominate_single(obj, subj)) return (EACCES); break; case MAC_OP_PIPE_WRITE: if (!mac_biba_dominate_single(subj, obj)) return (EACCES); break; default: panic("mac_biba_check_pipe_op: invalid pipe operation"); } return (0); } static int mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; new = SLOT(newlabel); subj = SLOT(&cred->cr_label); obj = SLOT(pipelabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) return (EINVAL); /* * To relabel a pipe, the old pipe label must be in the subject * range. */ if (!mac_biba_single_in_range(obj, subj)) return (EPERM); /* * To relabel a pipe, the new pipe label must be in the subject * range. */ if (!mac_biba_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) return (ESRCH); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) return (ESRCH); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) return (ESRCH); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_biba *p, *s; if (!mac_biba_enabled) return (0); p = SLOT(mbuflabel); s = SLOT(socketlabel); return (mac_biba_equal_single(p, s) ? 0 : EACCES); } static int mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; new = SLOT(newlabel); subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) return (EINVAL); /* * To relabel a socket, the old socket label must be in the subject * range. */ if (!mac_biba_single_in_range(obj, subj)) return (EPERM); /* * To relabel a socket, the new socket label must be in the subject * range. */ if (!mac_biba_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_biba *subj, *obj; subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); if (!mac_biba_dominate_single(obj, subj)) return (ENOENT); return (0); } static int mac_biba_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { return (mac_biba_check_vnode_open(cred, vp, label, flags)); } static int mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ if (acc_mode & (VREAD | VEXEC | VSTAT)) { if (!mac_biba_dominate_single(obj, subj)) return (EACCES); } if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { if (!mac_biba_dominate_single(subj, obj)) return (EACCES); } return (0); } static int +mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { struct mac_biba *old, *new, *subj; old = SLOT(vnodelabel); new = SLOT(newlabel); subj = SLOT(&cred->cr_label); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) return (EINVAL); /* * To relabel a vnode, the old vnode label must be in the subject * range. */ if (!mac_biba_single_in_range(old, subj)) return (EPERM); /* * To relabel a vnode, the new vnode label must be in the subject * range. */ if (!mac_biba_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (suser_cred(cred, 0)); } static int mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); if (vp != NULL) { obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); } return (0); } static int mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, int attrnamespace, const char *name, struct uio *uio) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); /* XXX: protect the MAC EA in a special way? */ return (0); } static int mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, u_long flags) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t mode) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, uid_t uid, gid_t gid) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct timespec atime, struct timespec mtime) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(obj, subj)) return (EACCES); return (0); } +static int +mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) { struct mac_biba *subj, *obj; vm_prot_t prot = 0; if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (mac_biba_dominate_single(obj, subj)) prot |= VM_PROT_READ | VM_PROT_EXECUTE; if (mac_biba_dominate_single(subj, obj)) prot |= VM_PROT_WRITE; return (prot); } -static int -mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled || !mac_biba_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - return (0); - - default: - printf("mac_biba_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, (macop_t)mac_biba_destroy }, { MAC_INIT, (macop_t)mac_biba_init }, { MAC_INIT_BPFDESC, (macop_t)mac_biba_init_bpfdesc }, { MAC_INIT_CRED, (macop_t)mac_biba_init_cred }, { MAC_INIT_DEVFSDIRENT, (macop_t)mac_biba_init_devfsdirent }, { MAC_INIT_IFNET, (macop_t)mac_biba_init_ifnet }, { MAC_INIT_IPQ, (macop_t)mac_biba_init_ipq }, { MAC_INIT_MBUF, (macop_t)mac_biba_init_mbuf }, { MAC_INIT_MOUNT, (macop_t)mac_biba_init_mount }, { MAC_INIT_PIPE, (macop_t)mac_biba_init_pipe }, { MAC_INIT_SOCKET, (macop_t)mac_biba_init_socket }, { MAC_INIT_TEMP, (macop_t)mac_biba_init_temp }, { MAC_INIT_VNODE, (macop_t)mac_biba_init_vnode }, { MAC_DESTROY_BPFDESC, (macop_t)mac_biba_destroy_bpfdesc }, { MAC_DESTROY_CRED, (macop_t)mac_biba_destroy_cred }, { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_biba_destroy_devfsdirent }, { MAC_DESTROY_IFNET, (macop_t)mac_biba_destroy_ifnet }, { MAC_DESTROY_IPQ, (macop_t)mac_biba_destroy_ipq }, { MAC_DESTROY_MBUF, (macop_t)mac_biba_destroy_mbuf }, { MAC_DESTROY_MOUNT, (macop_t)mac_biba_destroy_mount }, { MAC_DESTROY_PIPE, (macop_t)mac_biba_destroy_pipe }, { MAC_DESTROY_SOCKET, (macop_t)mac_biba_destroy_socket }, { MAC_DESTROY_TEMP, (macop_t)mac_biba_destroy_temp }, { MAC_DESTROY_VNODE, (macop_t)mac_biba_destroy_vnode }, { MAC_EXTERNALIZE, (macop_t)mac_biba_externalize }, { MAC_INTERNALIZE, (macop_t)mac_biba_internalize }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_biba_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_biba_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_biba_create_devfs_vnode }, { MAC_CREATE_VNODE, (macop_t)mac_biba_create_vnode }, { MAC_CREATE_MOUNT, (macop_t)mac_biba_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_biba_create_root_mount }, { MAC_RELABEL_VNODE, (macop_t)mac_biba_relabel_vnode }, { MAC_UPDATE_DEVFSDIRENT, (macop_t)mac_biba_update_devfsdirent }, { MAC_UPDATE_PROCFSVNODE, (macop_t)mac_biba_update_procfsvnode }, { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, (macop_t)mac_biba_update_vnode_from_externalized }, { MAC_UPDATE_VNODE_FROM_MOUNT, (macop_t)mac_biba_update_vnode_from_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, (macop_t)mac_biba_create_mbuf_from_socket }, { MAC_CREATE_PIPE, (macop_t)mac_biba_create_pipe }, { MAC_CREATE_SOCKET, (macop_t)mac_biba_create_socket }, { MAC_CREATE_SOCKET_FROM_SOCKET, (macop_t)mac_biba_create_socket_from_socket }, { MAC_RELABEL_PIPE, (macop_t)mac_biba_relabel_pipe }, { MAC_RELABEL_SOCKET, (macop_t)mac_biba_relabel_socket }, { MAC_SET_SOCKET_PEER_FROM_MBUF, (macop_t)mac_biba_set_socket_peer_from_mbuf }, { MAC_SET_SOCKET_PEER_FROM_SOCKET, (macop_t)mac_biba_set_socket_peer_from_socket }, { MAC_CREATE_BPFDESC, (macop_t)mac_biba_create_bpfdesc }, { MAC_CREATE_DATAGRAM_FROM_IPQ, (macop_t)mac_biba_create_datagram_from_ipq }, { MAC_CREATE_FRAGMENT, (macop_t)mac_biba_create_fragment }, { MAC_CREATE_IFNET, (macop_t)mac_biba_create_ifnet }, { MAC_CREATE_IPQ, (macop_t)mac_biba_create_ipq }, { MAC_CREATE_MBUF_FROM_MBUF, (macop_t)mac_biba_create_mbuf_from_mbuf }, { MAC_CREATE_MBUF_LINKLAYER, (macop_t)mac_biba_create_mbuf_linklayer }, { MAC_CREATE_MBUF_FROM_BPFDESC, (macop_t)mac_biba_create_mbuf_from_bpfdesc }, { MAC_CREATE_MBUF_FROM_IFNET, (macop_t)mac_biba_create_mbuf_from_ifnet }, { MAC_CREATE_MBUF_MULTICAST_ENCAP, (macop_t)mac_biba_create_mbuf_multicast_encap }, { MAC_CREATE_MBUF_NETLAYER, (macop_t)mac_biba_create_mbuf_netlayer }, { MAC_FRAGMENT_MATCH, (macop_t)mac_biba_fragment_match }, { MAC_RELABEL_IFNET, (macop_t)mac_biba_relabel_ifnet }, { MAC_UPDATE_IPQ, (macop_t)mac_biba_update_ipq }, { MAC_CREATE_CRED, (macop_t)mac_biba_create_cred }, { MAC_EXECVE_TRANSITION, (macop_t)mac_biba_execve_transition }, { MAC_EXECVE_WILL_TRANSITION, (macop_t)mac_biba_execve_will_transition }, { MAC_CREATE_PROC0, (macop_t)mac_biba_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_biba_create_proc1 }, { MAC_RELABEL_CRED, (macop_t)mac_biba_relabel_cred }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_biba_check_bpfdesc_receive }, { MAC_CHECK_CRED_RELABEL, (macop_t)mac_biba_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_biba_check_cred_visible }, { MAC_CHECK_IFNET_RELABEL, (macop_t)mac_biba_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_biba_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_biba_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_biba_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_biba_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_biba_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_biba_check_proc_debug }, { MAC_CHECK_PROC_SCHED, (macop_t)mac_biba_check_proc_sched }, { MAC_CHECK_PROC_SIGNAL, (macop_t)mac_biba_check_proc_signal }, { MAC_CHECK_SOCKET_DELIVER, (macop_t)mac_biba_check_socket_deliver }, { MAC_CHECK_SOCKET_RELABEL, (macop_t)mac_biba_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_biba_check_socket_visible }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_biba_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, (macop_t)mac_biba_check_vnode_chdir }, { MAC_CHECK_VNODE_CHROOT, (macop_t)mac_biba_check_vnode_chroot }, { MAC_CHECK_VNODE_CREATE, (macop_t)mac_biba_check_vnode_create }, { MAC_CHECK_VNODE_DELETE, (macop_t)mac_biba_check_vnode_delete }, { MAC_CHECK_VNODE_DELETEACL, (macop_t)mac_biba_check_vnode_deleteacl }, { MAC_CHECK_VNODE_EXEC, (macop_t)mac_biba_check_vnode_exec }, { MAC_CHECK_VNODE_GETACL, (macop_t)mac_biba_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_biba_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_biba_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_biba_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_biba_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_biba_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_biba_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_biba_check_vnode_readlink }, { MAC_CHECK_VNODE_RELABEL, (macop_t)mac_biba_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_biba_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, (macop_t)mac_biba_check_vnode_rename_to }, { MAC_CHECK_VNODE_REVOKE, (macop_t)mac_biba_check_vnode_revoke }, { MAC_CHECK_VNODE_SETACL, (macop_t)mac_biba_check_vnode_setacl }, { MAC_CHECK_VNODE_SETEXTATTR, (macop_t)mac_biba_check_vnode_setextattr }, { MAC_CHECK_VNODE_SETFLAGS, (macop_t)mac_biba_check_vnode_setflags }, { MAC_CHECK_VNODE_SETMODE, (macop_t)mac_biba_check_vnode_setmode }, { MAC_CHECK_VNODE_SETOWNER, (macop_t)mac_biba_check_vnode_setowner }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_biba_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_biba_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_biba_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_biba_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_biba_check_vnode_op }, { MAC_OP_LAST, NULL } }; MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot); Index: head/sys/security/mac_mls/mac_mls.c =================================================================== --- head/sys/security/mac_mls/mac_mls.c (revision 102111) +++ head/sys/security/mac_mls/mac_mls.c (revision 102112) @@ -1,2177 +1,2205 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * MLS fixed label mandatory confidentiality policy. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0, "TrustedBSD mac_mls policy controls"); static int mac_mls_enabled = 0; SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, &mac_mls_enabled, 0, "Enforce MAC/MLS policy"); static int destroyed_not_inited; SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); static int mac_mls_revocation_enabled = 0; SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW, &mac_mls_revocation_enabled, 0, "Revoke access to objects on relabel"); TUNABLE_INT("security.mac.mls.revocation_enabled", &mac_mls_revocation_enabled); static int mac_mls_slot; #define SLOT(l) ((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr) MALLOC_DEFINE(M_MACMLS, "mls label", "MAC/MLS labels"); static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode); static struct mac_mls * mls_alloc(int how) { struct mac_mls *mac_mls; mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | how); return (mac_mls); } static void mls_free(struct mac_mls *mac_mls) { if (mac_mls != NULL) free(mac_mls, M_MACMLS); else atomic_add_int(&destroyed_not_inited, 1); } static int mac_mls_dominate_element(struct mac_mls_element *a, struct mac_mls_element *b) { switch(a->mme_type) { case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: return (1); case MAC_MLS_TYPE_LOW: switch (b->mme_type) { case MAC_MLS_TYPE_LEVEL: case MAC_MLS_TYPE_HIGH: return (0); case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_LOW: return (1); default: panic("mac_mls_dominate_element: b->mme_type invalid"); } case MAC_MLS_TYPE_LEVEL: switch (b->mme_type) { case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_LOW: return (1); case MAC_MLS_TYPE_HIGH: return (0); case MAC_MLS_TYPE_LEVEL: return (a->mme_level >= b->mme_level); default: panic("mac_mls_dominate_element: b->mme_type invalid"); } default: panic("mac_mls_dominate_element: a->mme_type invalid"); } return (0); } static int mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb) { return (mac_mls_dominate_element(&rangeb->mm_rangehigh, &rangea->mm_rangehigh) && mac_mls_dominate_element(&rangea->mm_rangelow, &rangeb->mm_rangelow)); } static int mac_mls_single_in_range(struct mac_mls *single, struct mac_mls *range) { KASSERT((single->mm_flag & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_single_in_range: a not single")); KASSERT((range->mm_flag & MAC_MLS_FLAG_RANGE) != 0, ("mac_mls_single_in_range: b not range")); return (mac_mls_dominate_element(&range->mm_rangehigh, &single->mm_single) && mac_mls_dominate_element(&single->mm_single, &range->mm_rangelow)); return (1); } static int mac_mls_dominate_single(struct mac_mls *a, struct mac_mls *b) { KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_dominate_single: a not single")); KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_dominate_single: b not single")); return (mac_mls_dominate_element(&a->mm_single, &b->mm_single)); } static int mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) { if (a->mme_type == MAC_MLS_TYPE_EQUAL || b->mme_type == MAC_MLS_TYPE_EQUAL) return (1); return (a->mme_type == b->mme_type && a->mme_level == b->mme_level); } static int mac_mls_equal_range(struct mac_mls *a, struct mac_mls *b) { KASSERT((a->mm_flags & MAC_MLS_FLAG_RANGE) != 0, ("mac_mls_equal_range: a not range")); KASSERT((b->mm_flags & MAC_MLS_FLAG_RANGE) != 0, ("mac_mls_equal_range: b not range")); return (mac_mls_equal_element(&a->mm_rangelow, &b->mm_rangelow) && mac_mls_equal_element(&a->mm_rangehigh, &b->mm_rangehigh)); } static int mac_mls_equal_single(struct mac_mls *a, struct mac_mls *b) { KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_equal_single: a not single")); KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_equal_single: b not single")); return (mac_mls_equal_element(&a->mm_single, &b->mm_single)); } static int mac_mls_valid(struct mac_mls *mac_mls) { if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) { switch (mac_mls->mm_single.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: if (mac_mls->mm_single.mme_level != 0) return (EINVAL); break; default: return (EINVAL); } } else { if (mac_mls->mm_single.mme_type != MAC_MLS_TYPE_UNDEF) return (EINVAL); } if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) { switch (mac_mls->mm_rangelow.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: if (mac_mls->mm_rangelow.mme_level != 0) return (EINVAL); break; default: return (EINVAL); } switch (mac_mls->mm_rangehigh.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: if (mac_mls->mm_rangehigh.mme_level != 0) return (EINVAL); break; default: return (EINVAL); } if (!mac_mls_dominate_element(&mac_mls->mm_rangehigh, &mac_mls->mm_rangelow)) return (EINVAL); } else { if (mac_mls->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF || mac_mls->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF) return (EINVAL); } return (0); } static void mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow, u_short levellow, u_short typehigh, u_short levelhigh) { mac_mls->mm_rangelow.mme_type = typelow; mac_mls->mm_rangelow.mme_level = levellow; mac_mls->mm_rangehigh.mme_type = typehigh; mac_mls->mm_rangehigh.mme_level = levelhigh; mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE; } static void mac_mls_set_single(struct mac_mls *mac_mls, u_short type, u_short level) { mac_mls->mm_single.mme_type = type; mac_mls->mm_single.mme_level = level; mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE; } static void mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto) { KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_RANGE) != 0, ("mac_mls_copy_range: labelfrom not range")); labelto->mm_rangelow = labelfrom->mm_rangelow; labelto->mm_rangehigh = labelfrom->mm_rangehigh; labelto->mm_flags |= MAC_MLS_FLAG_RANGE; } static void mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto) { KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_copy_single: labelfrom not single")); labelto->mm_single = labelfrom->mm_single; labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; } static void mac_mls_copy_single_to_range(struct mac_mls *labelfrom, struct mac_mls *labelto) { KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, ("mac_mls_copy_single_to_range: labelfrom not single")); labelto->mm_rangelow = labelfrom->mm_single; labelto->mm_rangehigh = labelfrom->mm_single; labelto->mm_flags |= MAC_MLS_FLAG_RANGE; } /* * Policy module operations. */ static void mac_mls_destroy(struct mac_policy_conf *conf) { } static void mac_mls_init(struct mac_policy_conf *conf) { } /* * Label operations. */ static void mac_mls_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_cred(struct ucred *ucred, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_ifnet(struct ifnet *ifnet, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_ipq(struct ipq *ipq, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static int mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label) { SLOT(label) = mls_alloc(how); if (SLOT(label) == NULL) return (ENOMEM); return (0); } static void mac_mls_init_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { SLOT(mntlabel) = mls_alloc(M_WAITOK); SLOT(fslabel) = mls_alloc(M_WAITOK); } static void mac_mls_init_socket(struct socket *socket, struct label *label, struct label *peerlabel) { SLOT(label) = mls_alloc(M_WAITOK); SLOT(peerlabel) = mls_alloc(M_WAITOK); } static void mac_mls_init_pipe(struct pipe *pipe, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_temp(struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_init_vnode(struct vnode *vp, struct label *label) { SLOT(label) = mls_alloc(M_WAITOK); } static void mac_mls_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_cred(struct ucred *ucred, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_ifnet(struct ifnet *ifnet, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_ipq(struct ipq *ipq, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_mbuf(struct mbuf *mbuf, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { mls_free(SLOT(mntlabel)); SLOT(mntlabel) = NULL; mls_free(SLOT(fslabel)); SLOT(fslabel) = NULL; } static void mac_mls_destroy_socket(struct socket *socket, struct label *label, struct label *peerlabel) { mls_free(SLOT(label)); SLOT(label) = NULL; mls_free(SLOT(peerlabel)); SLOT(peerlabel) = NULL; } static void mac_mls_destroy_pipe(struct pipe *pipe, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_temp(struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static void mac_mls_destroy_vnode(struct vnode *vp, struct label *label) { mls_free(SLOT(label)); SLOT(label) = NULL; } static int mac_mls_externalize(struct label *label, struct mac *extmac) { struct mac_mls *mac_mls; mac_mls = SLOT(label); if (mac_mls == NULL) { printf("mac_mls_externalize: NULL pointer\n"); return (0); } extmac->m_mls = *mac_mls; return (0); } static int mac_mls_internalize(struct label *label, struct mac *extmac) { struct mac_mls *mac_mls; int error; mac_mls = SLOT(label); error = mac_mls_valid(mac_mls); if (error) return (error); *mac_mls = extmac->m_mls; return (0); } /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ static void mac_mls_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_mls *mac_mls; int mls_type; mac_mls = SLOT(label); if (strcmp(dev->si_name, "null") == 0 || strcmp(dev->si_name, "zero") == 0 || strcmp(dev->si_name, "random") == 0 || strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) mls_type = MAC_MLS_TYPE_EQUAL; else if (strcmp(dev->si_name, "kmem") == 0 || strcmp(dev->si_name, "mem") == 0) mls_type = MAC_MLS_TYPE_HIGH; else mls_type = MAC_MLS_TYPE_LOW; mac_mls_set_single(mac_mls, mls_type, 0); } static void mac_mls_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_mls *mac_mls; mac_mls = SLOT(label); mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0); } static void mac_mls_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { struct mac_mls *source, *dest; source = SLOT(direntlabel); dest = SLOT(vnodelabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(childlabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(mntlabel); mac_mls_copy_single(source, dest); dest = SLOT(fslabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { struct mac_mls *mac_mls; /* Always mount root as high integrity. */ mac_mls = SLOT(fslabel); mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0); mac_mls = SLOT(mntlabel); mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0); } static void mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { struct mac_mls *source, *dest; source = SLOT(label); dest = SLOT(vnodelabel); mac_mls_copy_single(source, dest); } static void mac_mls_update_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { struct mac_mls *source, *dest; source = SLOT(vnodelabel); dest = SLOT(direntlabel); mac_mls_copy_single(source, dest); } static void mac_mls_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, struct ucred *cred) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(vnodelabel); /* * Only copy the single, not the range, since vnodes only have * a single. */ mac_mls_copy_single(source, dest); } static int mac_mls_update_vnode_from_externalized(struct vnode *vp, struct label *vnodelabel, struct mac *extmac) { struct mac_mls *source, *dest; int error; source = &extmac->m_mls; dest = SLOT(vnodelabel); error = mac_mls_valid(source); if (error) return (error); if ((source->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) return (EINVAL); mac_mls_copy_single(source, dest); return (0); } static void mac_mls_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel) { struct mac_mls *source, *dest; source = SLOT(fslabel); dest = SLOT(vnodelabel); mac_mls_copy_single(source, dest); } /* * Labeling event operations: IPC object. */ static void mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_mls *source, *dest; source = SLOT(socketlabel); dest = SLOT(mbuflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(socketlabel); mac_mls_copy_single(source, dest); mac_mls_copy_single_to_range(source, dest); } static void mac_mls_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(pipelabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_socket_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { struct mac_mls *source, *dest; source = SLOT(oldsocketlabel); dest = SLOT(newsocketlabel); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } static void mac_mls_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_mls *source, *dest; source = SLOT(newlabel); dest = SLOT(socketlabel); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } static void mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { struct mac_mls *source, *dest; source = SLOT(newlabel); dest = SLOT(pipelabel); mac_mls_copy_single(source, dest); } static void mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { struct mac_mls *source, *dest; source = SLOT(mbuflabel); dest = SLOT(socketpeerlabel); mac_mls_copy_single(source, dest); } /* * Labeling event operations: network objects. */ static void mac_mls_set_socket_peer_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { struct mac_mls *source, *dest; source = SLOT(oldsocketlabel); dest = SLOT(newsocketpeerlabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { struct mac_mls *source, *dest; source = SLOT(&cred->cr_label); dest = SLOT(bpflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { struct mac_mls *dest; int level; dest = SLOT(ifnetlabel); if (ifnet->if_type == IFT_LOOP) level = MAC_MLS_TYPE_EQUAL; else level = MAC_MLS_TYPE_LOW; mac_mls_set_single(dest, level, 0); mac_mls_set_range(dest, level, 0, level, 0); } static void mac_mls_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *source, *dest; source = SLOT(fragmentlabel); dest = SLOT(ipqlabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { struct mac_mls *source, *dest; source = SLOT(ipqlabel); dest = SLOT(datagramlabel); /* Just use the head, since we require them all to match. */ mac_mls_copy_single(source, dest); } static void mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { struct mac_mls *source, *dest; source = SLOT(datagramlabel); dest = SLOT(fragmentlabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_mls *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel) { struct mac_mls *dest; dest = SLOT(mbuflabel); mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0); } static void mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { struct mac_mls *source, *dest; source = SLOT(bpflabel); dest = SLOT(mbuflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_mls *source, *dest; source = SLOT(ifnetlabel); dest = SLOT(mbuflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_mls *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_mls_copy_single(source, dest); } static void mac_mls_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { struct mac_mls *source, *dest; source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); mac_mls_copy_single(source, dest); } static int mac_mls_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *a, *b; a = SLOT(ipqlabel); b = SLOT(fragmentlabel); return (mac_mls_equal_single(a, b)); } static void mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { struct mac_mls *source, *dest; source = SLOT(newlabel); dest = SLOT(ifnetlabel); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } static void mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { /* NOOP: we only accept matching labels, so no need to update */ } /* * Labeling event operations: processes. */ static void mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_mls *source, *dest; source = SLOT(&cred_parent->cr_label); dest = SLOT(&cred_child->cr_label); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } static void mac_mls_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct mac *vnodelabel) { struct mac_mls *source, *dest; source = SLOT(&old->cr_label); dest = SLOT(&new->cr_label); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } static int mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp, struct mac *vnodelabel) { return (0); } static void mac_mls_create_proc0(struct ucred *cred) { struct mac_mls *dest; dest = SLOT(&cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, MAC_MLS_TYPE_HIGH, 0); } static void mac_mls_create_proc1(struct ucred *cred) { struct mac_mls *dest; dest = SLOT(&cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, MAC_MLS_TYPE_HIGH, 0); } static void mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; source = SLOT(newlabel); dest = SLOT(&cred->cr_label); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); } /* * Access control checks. */ static int mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { struct mac_mls *a, *b; if (!mac_mls_enabled) return (0); a = SLOT(bpflabel); b = SLOT(ifnetlabel); if (mac_mls_equal_single(a, b)) return (0); return (EACCES); } static int mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) return (EINVAL); /* * XXX: Allow processes with root privilege to set labels outside * their range, so suid things like "su" work. This WILL go away * when we figure out the 'correct' solution... */ if (!suser_cred(cred, 0)) return (0); /* * The new single must be in the old range. */ if (!mac_mls_single_in_range(new, subj)) return (EPERM); /* * The new range must be in the old range. */ if (!mac_mls_range_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&u1->cr_label); obj = SLOT(&u2->cr_label); /* XXX: range */ if (!mac_mls_dominate_single(subj, obj)) return (ESRCH); return (0); } static int mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { struct mac_mls *subj, *new; subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) return (EINVAL); /* XXX: privilege model here? */ return (suser_cred(cred, 0)); } static int mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_mls *p, *i; if (!mac_mls_enabled) return (0); p = SLOT(mbuflabel); i = SLOT(ifnetlabel); return (mac_mls_single_in_range(p, i) ? 0 : EACCES); } static int mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(mntlabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { if(!mac_mls_enabled) return (0); /* XXX: This will be implemented soon... */ return (0); } static int mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); switch(op) { case MAC_OP_PIPE_READ: case MAC_OP_PIPE_STAT: case MAC_OP_PIPE_POLL: if (!mac_mls_dominate_single(subj, obj)) return (EACCES); break; case MAC_OP_PIPE_WRITE: if (!mac_mls_dominate_single(obj, subj)) return (EACCES); break; default: panic("mac_mls_check_pipe_op: invalid pipe operation"); } return (0); } static int mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; new = SLOT(newlabel); subj = SLOT(&cred->cr_label); obj = SLOT(pipelabel); if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) return (EINVAL); /* * To relabel a pipe, the old pipe label must be in the subject * range. */ if (!mac_mls_single_in_range(obj, subj)) return (EPERM); /* * To relabel a pipe, the new pipe label must be in the subject * range. */ if (!mac_mls_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) return (ESRCH); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) return (ESRCH); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(&proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) return (ESRCH); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { struct mac_mls *p, *s; if (!mac_mls_enabled) return (0); p = SLOT(mbuflabel); s = SLOT(socketlabel); return (mac_mls_equal_single(p, s) ? 0 : EACCES); } static int mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; new = SLOT(newlabel); subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) return (EINVAL); /* * To relabel a socket, the old socket label must be in the subject * range. */ if (!mac_mls_single_in_range(obj, subj)) return (EPERM); /* * To relabel a socket, the new socket label must be in the subject * range. */ if (!mac_mls_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (0); } static int mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); if (!mac_mls_dominate_single(subj, obj)) return (ENOENT); return (0); } static int mac_mls_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { return (mac_mls_check_vnode_open(cred, vp, label, flags)); } static int mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ if (acc_mode & (VREAD | VEXEC | VSTAT)) { if (!mac_mls_dominate_single(subj, obj)) return (EACCES); } if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { if (!mac_mls_dominate_single(obj, subj)) return (EACCES); } return (0); } static int +mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } static int mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { struct mac_mls *old, *new, *subj; old = SLOT(vnodelabel); new = SLOT(newlabel); subj = SLOT(&cred->cr_label); if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) return (EINVAL); /* * To relabel a vnode, the old vnode label must be in the subject * range. */ if (!mac_mls_single_in_range(old, subj)) return (EPERM); /* * To relabel a vnode, the new vnode label must be in the subject * range. */ if (!mac_mls_single_in_range(new, subj)) return (EPERM); /* * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (suser_cred(cred, 0)); } static int mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); if (vp != NULL) { obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); } return (0); } static int mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, int attrnamespace, const char *name, struct uio *uio) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); /* XXX: protect the MAC EA in a special way? */ return (0); } static int mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, u_long flags) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t mode) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, uid_t uid, gid_t gid) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct timespec atime, struct timespec mtime) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) return (EACCES); return (0); } static int mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); subj = SLOT(&cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) return (EACCES); return (0); } +static int +mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) { struct mac_mls *subj, *obj; vm_prot_t prot = 0; if (!mac_mls_enabled || (!mac_mls_revocation_enabled && !newmapping)) return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); obj = SLOT(label); if (mac_mls_dominate_single(subj, obj)) prot |= VM_PROT_READ | VM_PROT_EXECUTE; if (mac_mls_dominate_single(obj, subj)) prot |= VM_PROT_WRITE; return (prot); } -static int -mac_mls_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled || !mac_mls_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - return (0); - - default: - printf("mac_mls_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, (macop_t)mac_mls_destroy }, { MAC_INIT, (macop_t)mac_mls_init }, { MAC_INIT_BPFDESC, (macop_t)mac_mls_init_bpfdesc }, { MAC_INIT_CRED, (macop_t)mac_mls_init_cred }, { MAC_INIT_DEVFSDIRENT, (macop_t)mac_mls_init_devfsdirent }, { MAC_INIT_IFNET, (macop_t)mac_mls_init_ifnet }, { MAC_INIT_IPQ, (macop_t)mac_mls_init_ipq }, { MAC_INIT_MBUF, (macop_t)mac_mls_init_mbuf }, { MAC_INIT_MOUNT, (macop_t)mac_mls_init_mount }, { MAC_INIT_PIPE, (macop_t)mac_mls_init_pipe }, { MAC_INIT_SOCKET, (macop_t)mac_mls_init_socket }, { MAC_INIT_TEMP, (macop_t)mac_mls_init_temp }, { MAC_INIT_VNODE, (macop_t)mac_mls_init_vnode }, { MAC_DESTROY_BPFDESC, (macop_t)mac_mls_destroy_bpfdesc }, { MAC_DESTROY_CRED, (macop_t)mac_mls_destroy_cred }, { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_mls_destroy_devfsdirent }, { MAC_DESTROY_IFNET, (macop_t)mac_mls_destroy_ifnet }, { MAC_DESTROY_IPQ, (macop_t)mac_mls_destroy_ipq }, { MAC_DESTROY_MBUF, (macop_t)mac_mls_destroy_mbuf }, { MAC_DESTROY_MOUNT, (macop_t)mac_mls_destroy_mount }, { MAC_DESTROY_PIPE, (macop_t)mac_mls_destroy_pipe }, { MAC_DESTROY_SOCKET, (macop_t)mac_mls_destroy_socket }, { MAC_DESTROY_TEMP, (macop_t)mac_mls_destroy_temp }, { MAC_DESTROY_VNODE, (macop_t)mac_mls_destroy_vnode }, { MAC_EXTERNALIZE, (macop_t)mac_mls_externalize }, { MAC_INTERNALIZE, (macop_t)mac_mls_internalize }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_mls_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_mls_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_mls_create_devfs_vnode }, { MAC_CREATE_VNODE, (macop_t)mac_mls_create_vnode }, { MAC_CREATE_MOUNT, (macop_t)mac_mls_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_mls_create_root_mount }, { MAC_RELABEL_VNODE, (macop_t)mac_mls_relabel_vnode }, { MAC_UPDATE_DEVFSDIRENT, (macop_t)mac_mls_update_devfsdirent }, { MAC_UPDATE_PROCFSVNODE, (macop_t)mac_mls_update_procfsvnode }, { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, (macop_t)mac_mls_update_vnode_from_externalized }, { MAC_UPDATE_VNODE_FROM_MOUNT, (macop_t)mac_mls_update_vnode_from_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, (macop_t)mac_mls_create_mbuf_from_socket }, { MAC_CREATE_PIPE, (macop_t)mac_mls_create_pipe }, { MAC_CREATE_SOCKET, (macop_t)mac_mls_create_socket }, { MAC_CREATE_SOCKET_FROM_SOCKET, (macop_t)mac_mls_create_socket_from_socket }, { MAC_RELABEL_PIPE, (macop_t)mac_mls_relabel_pipe }, { MAC_RELABEL_SOCKET, (macop_t)mac_mls_relabel_socket }, { MAC_SET_SOCKET_PEER_FROM_MBUF, (macop_t)mac_mls_set_socket_peer_from_mbuf }, { MAC_SET_SOCKET_PEER_FROM_SOCKET, (macop_t)mac_mls_set_socket_peer_from_socket }, { MAC_CREATE_BPFDESC, (macop_t)mac_mls_create_bpfdesc }, { MAC_CREATE_DATAGRAM_FROM_IPQ, (macop_t)mac_mls_create_datagram_from_ipq }, { MAC_CREATE_FRAGMENT, (macop_t)mac_mls_create_fragment }, { MAC_CREATE_IFNET, (macop_t)mac_mls_create_ifnet }, { MAC_CREATE_IPQ, (macop_t)mac_mls_create_ipq }, { MAC_CREATE_MBUF_FROM_MBUF, (macop_t)mac_mls_create_mbuf_from_mbuf }, { MAC_CREATE_MBUF_LINKLAYER, (macop_t)mac_mls_create_mbuf_linklayer }, { MAC_CREATE_MBUF_FROM_BPFDESC, (macop_t)mac_mls_create_mbuf_from_bpfdesc }, { MAC_CREATE_MBUF_FROM_IFNET, (macop_t)mac_mls_create_mbuf_from_ifnet }, { MAC_CREATE_MBUF_MULTICAST_ENCAP, (macop_t)mac_mls_create_mbuf_multicast_encap }, { MAC_CREATE_MBUF_NETLAYER, (macop_t)mac_mls_create_mbuf_netlayer }, { MAC_FRAGMENT_MATCH, (macop_t)mac_mls_fragment_match }, { MAC_RELABEL_IFNET, (macop_t)mac_mls_relabel_ifnet }, { MAC_UPDATE_IPQ, (macop_t)mac_mls_update_ipq }, { MAC_CREATE_CRED, (macop_t)mac_mls_create_cred }, { MAC_EXECVE_TRANSITION, (macop_t)mac_mls_execve_transition }, { MAC_EXECVE_WILL_TRANSITION, (macop_t)mac_mls_execve_will_transition }, { MAC_CREATE_PROC0, (macop_t)mac_mls_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_mls_create_proc1 }, { MAC_RELABEL_CRED, (macop_t)mac_mls_relabel_cred }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_mls_check_bpfdesc_receive }, { MAC_CHECK_CRED_RELABEL, (macop_t)mac_mls_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_mls_check_cred_visible }, { MAC_CHECK_IFNET_RELABEL, (macop_t)mac_mls_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_mls_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_mls_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_mls_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_mls_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_mls_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_mls_check_proc_debug }, { MAC_CHECK_PROC_SCHED, (macop_t)mac_mls_check_proc_sched }, { MAC_CHECK_PROC_SIGNAL, (macop_t)mac_mls_check_proc_signal }, { MAC_CHECK_SOCKET_DELIVER, (macop_t)mac_mls_check_socket_deliver }, { MAC_CHECK_SOCKET_RELABEL, (macop_t)mac_mls_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_mls_check_socket_visible }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_mls_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, (macop_t)mac_mls_check_vnode_chdir }, { MAC_CHECK_VNODE_CHROOT, (macop_t)mac_mls_check_vnode_chroot }, { MAC_CHECK_VNODE_CREATE, (macop_t)mac_mls_check_vnode_create }, { MAC_CHECK_VNODE_DELETE, (macop_t)mac_mls_check_vnode_delete }, { MAC_CHECK_VNODE_DELETEACL, (macop_t)mac_mls_check_vnode_deleteacl }, { MAC_CHECK_VNODE_EXEC, (macop_t)mac_mls_check_vnode_exec }, { MAC_CHECK_VNODE_GETACL, (macop_t)mac_mls_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_mls_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_mls_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_mls_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_mls_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_mls_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_mls_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_mls_check_vnode_readlink }, { MAC_CHECK_VNODE_RELABEL, (macop_t)mac_mls_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_mls_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, (macop_t)mac_mls_check_vnode_rename_to }, { MAC_CHECK_VNODE_REVOKE, (macop_t)mac_mls_check_vnode_revoke }, { MAC_CHECK_VNODE_SETACL, (macop_t)mac_mls_check_vnode_setacl }, { MAC_CHECK_VNODE_SETEXTATTR, (macop_t)mac_mls_check_vnode_setextattr }, { MAC_CHECK_VNODE_SETFLAGS, (macop_t)mac_mls_check_vnode_setflags }, { MAC_CHECK_VNODE_SETMODE, (macop_t)mac_mls_check_vnode_setmode }, { MAC_CHECK_VNODE_SETOWNER, (macop_t)mac_mls_check_vnode_setowner }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_mls_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_mls_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_mls_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_mls_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_mls_check_vnode_op }, { MAC_OP_LAST, NULL } }; MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS", MPC_LOADTIME_FLAG_NOTLATE, &mac_mls_slot); Index: head/sys/security/mac_none/mac_none.c =================================================================== --- head/sys/security/mac_none/mac_none.c (revision 102111) +++ head/sys/security/mac_none/mac_none.c (revision 102112) @@ -1,1105 +1,1135 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * Generic mandatory access module that does nothing. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, none, CTLFLAG_RW, 0, "TrustedBSD mac_none policy controls"); static int mac_none_enabled = 0; SYSCTL_INT(_security_mac_none, OID_AUTO, enabled, CTLFLAG_RW, &mac_none_enabled, 0, "Enforce none policy"); /* * Policy module operations. */ static void mac_none_destroy(struct mac_policy_conf *conf) { } static void mac_none_init(struct mac_policy_conf *conf) { } /* * Label operations. */ static void mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) { } static void mac_none_init_cred(struct ucred *ucred, struct label *label) { } static void mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_init_ifnet(struct ifnet *ifnet, struct label *label) { } static void mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel) { } static int mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label) { return (0); } static void mac_none_init_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { } static void mac_none_init_socket(struct socket *socket, struct label *label, struct label *peerlabel) { } static void mac_none_init_pipe(struct pipe *pipe, struct label *label) { } static void mac_none_init_temp(struct label *label) { } static void mac_none_init_vnode(struct vnode *vp, struct label *label) { } static void mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) { } static void mac_none_destroy_cred(struct ucred *ucred, struct label *label) { } static void mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label) { } static void mac_none_destroy_ipq(struct ipq *ipq, struct label *label) { } static void mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label) { } static void mac_none_destroy_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { } static void mac_none_destroy_socket(struct socket *socket, struct label *label, struct label *peerlabel) { } static void mac_none_destroy_pipe(struct pipe *pipe, struct label *label) { } static void mac_none_destroy_temp(struct label *label) { } static void mac_none_destroy_vnode(struct vnode *vp, struct label *label) { } static int mac_none_externalize(struct label *label, struct mac *extmac) { return (0); } static int mac_none_internalize(struct label *label, struct mac *extmac) { return (0); } /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ static void mac_none_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { } static void mac_none_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { } static void mac_none_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_none_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_none_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { } static void mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { } static void mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, struct ucred *cred) { } static int mac_none_update_vnode_from_externalized(struct vnode *vp, struct label *vnodelabel, struct mac *extmac) { return (0); } static void mac_none_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel) { } /* * Labeling event operations: IPC object. */ static void mac_none_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_none_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { } static void mac_none_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { } static void mac_none_create_socket_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { } static void mac_none_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { } static void mac_none_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { } static void mac_none_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { } static void mac_none_set_socket_peer_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { } /* * Labeling event operations: network objects. */ static void mac_none_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { } static void mac_none_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { } static void mac_none_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { } static void mac_none_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { } static void mac_none_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } static void mac_none_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_none_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_none_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_none_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_none_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_none_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static int mac_none_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { return (1); } static void mac_none_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { } static void mac_none_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } /* * Labeling event operations: processes. */ static void mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { } static void mac_none_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel) { } static int mac_none_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vnodelabel) { return (0); } static void mac_none_create_proc0(struct ucred *cred) { } static void mac_none_create_proc1(struct ucred *cred) { } static void mac_none_relabel_cred(struct ucred *cred, struct label *newlabel) { } /* * Access control checks. */ static int mac_none_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnet_label) { return (0); } static int mac_none_check_cred_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int mac_none_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int mac_none_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *newlabel) { return (0); } static int mac_none_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_none_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { return (0); } static int mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { return (0); } static int mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { return (0); } static int mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { return (0); } static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { return (0); } static int mac_none_check_proc_sched(struct ucred *cred, struct proc *proc) { return (0); } static int mac_none_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { return (0); } static int mac_none_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_none_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_none_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_none_check_socket_listen(struct ucred *cred, struct vnode *vp, struct label *socketlabel) { return (0); } static int mac_none_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { return (0); } static int mac_none_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { return (0); } static int mac_none_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { return (0); } static int mac_none_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { return (0); } static int mac_none_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_none_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_none_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { return (0); } static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { return (0); } static int mac_none_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { return (0); } static int mac_none_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_none_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { return (0); } static int mac_none_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_none_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { return (0); } static int mac_none_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { return (0); } static int mac_none_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { return (0); } static int mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime) { return (0); } static int mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, (macop_t)mac_none_destroy }, { MAC_INIT, (macop_t)mac_none_init }, { MAC_INIT_BPFDESC, (macop_t)mac_none_init_bpfdesc }, { MAC_INIT_CRED, (macop_t)mac_none_init_cred }, { MAC_INIT_DEVFSDIRENT, (macop_t)mac_none_init_devfsdirent }, { MAC_INIT_IFNET, (macop_t)mac_none_init_ifnet }, { MAC_INIT_IPQ, (macop_t)mac_none_init_ipq }, { MAC_INIT_MBUF, (macop_t)mac_none_init_mbuf }, { MAC_INIT_MOUNT, (macop_t)mac_none_init_mount }, { MAC_INIT_PIPE, (macop_t)mac_none_init_pipe }, { MAC_INIT_SOCKET, (macop_t)mac_none_init_socket }, { MAC_INIT_TEMP, (macop_t)mac_none_init_temp }, { MAC_INIT_VNODE, (macop_t)mac_none_init_vnode }, { MAC_DESTROY_BPFDESC, (macop_t)mac_none_destroy_bpfdesc }, { MAC_DESTROY_CRED, (macop_t)mac_none_destroy_cred }, { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_none_destroy_devfsdirent }, { MAC_DESTROY_IFNET, (macop_t)mac_none_destroy_ifnet }, { MAC_DESTROY_IPQ, (macop_t)mac_none_destroy_ipq }, { MAC_DESTROY_MBUF, (macop_t)mac_none_destroy_mbuf }, { MAC_DESTROY_MOUNT, (macop_t)mac_none_destroy_mount }, { MAC_DESTROY_PIPE, (macop_t)mac_none_destroy_pipe }, { MAC_DESTROY_SOCKET, (macop_t)mac_none_destroy_socket }, { MAC_DESTROY_TEMP, (macop_t)mac_none_destroy_temp }, { MAC_DESTROY_VNODE, (macop_t)mac_none_destroy_vnode }, { MAC_EXTERNALIZE, (macop_t)mac_none_externalize }, { MAC_INTERNALIZE, (macop_t)mac_none_internalize }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_none_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_none_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_none_create_devfs_vnode }, { MAC_CREATE_VNODE, (macop_t)mac_none_create_vnode }, { MAC_CREATE_MOUNT, (macop_t)mac_none_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_none_create_root_mount }, { MAC_RELABEL_VNODE, (macop_t)mac_none_relabel_vnode }, { MAC_UPDATE_DEVFSDIRENT, (macop_t)mac_none_update_devfsdirent }, { MAC_UPDATE_PROCFSVNODE, (macop_t)mac_none_update_procfsvnode }, { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, (macop_t)mac_none_update_vnode_from_externalized }, { MAC_UPDATE_VNODE_FROM_MOUNT, (macop_t)mac_none_update_vnode_from_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, (macop_t)mac_none_create_mbuf_from_socket }, { MAC_CREATE_PIPE, (macop_t)mac_none_create_pipe }, { MAC_CREATE_SOCKET, (macop_t)mac_none_create_socket }, { MAC_CREATE_SOCKET_FROM_SOCKET, (macop_t)mac_none_create_socket_from_socket }, { MAC_RELABEL_PIPE, (macop_t)mac_none_relabel_pipe }, { MAC_RELABEL_SOCKET, (macop_t)mac_none_relabel_socket }, { MAC_SET_SOCKET_PEER_FROM_MBUF, (macop_t)mac_none_set_socket_peer_from_mbuf }, { MAC_SET_SOCKET_PEER_FROM_SOCKET, (macop_t)mac_none_set_socket_peer_from_socket }, { MAC_CREATE_BPFDESC, (macop_t)mac_none_create_bpfdesc }, { MAC_CREATE_IFNET, (macop_t)mac_none_create_ifnet }, { MAC_CREATE_IPQ, (macop_t)mac_none_create_ipq }, { MAC_CREATE_DATAGRAM_FROM_IPQ, (macop_t)mac_none_create_datagram_from_ipq }, { MAC_CREATE_FRAGMENT, (macop_t)mac_none_create_fragment }, { MAC_CREATE_IPQ, (macop_t)mac_none_create_ipq }, { MAC_CREATE_MBUF_FROM_MBUF, (macop_t)mac_none_create_mbuf_from_mbuf }, { MAC_CREATE_MBUF_LINKLAYER, (macop_t)mac_none_create_mbuf_linklayer }, { MAC_CREATE_MBUF_FROM_BPFDESC, (macop_t)mac_none_create_mbuf_from_bpfdesc }, { MAC_CREATE_MBUF_FROM_IFNET, (macop_t)mac_none_create_mbuf_from_ifnet }, { MAC_CREATE_MBUF_MULTICAST_ENCAP, (macop_t)mac_none_create_mbuf_multicast_encap }, { MAC_CREATE_MBUF_NETLAYER, (macop_t)mac_none_create_mbuf_netlayer }, { MAC_FRAGMENT_MATCH, (macop_t)mac_none_fragment_match }, { MAC_RELABEL_IFNET, (macop_t)mac_none_relabel_ifnet }, { MAC_UPDATE_IPQ, (macop_t)mac_none_update_ipq }, { MAC_CREATE_CRED, (macop_t)mac_none_create_cred }, { MAC_EXECVE_TRANSITION, (macop_t)mac_none_execve_transition }, { MAC_EXECVE_WILL_TRANSITION, (macop_t)mac_none_execve_will_transition }, { MAC_CREATE_PROC0, (macop_t)mac_none_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_none_create_proc1 }, { MAC_RELABEL_CRED, (macop_t)mac_none_relabel_cred }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_none_check_bpfdesc_receive }, { MAC_CHECK_CRED_RELABEL, (macop_t)mac_none_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_IFNET_RELABEL, (macop_t)mac_none_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_none_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_none_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, (macop_t)mac_none_check_proc_sched }, { MAC_CHECK_PROC_SIGNAL, (macop_t)mac_none_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_none_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, (macop_t)mac_none_check_socket_connect }, { MAC_CHECK_SOCKET_DELIVER, (macop_t)mac_none_check_socket_deliver }, { MAC_CHECK_SOCKET_LISTEN, (macop_t)mac_none_check_socket_listen }, { MAC_CHECK_SOCKET_RELABEL, (macop_t)mac_none_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_none_check_socket_visible }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_none_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, (macop_t)mac_none_check_vnode_chdir }, { MAC_CHECK_VNODE_CHROOT, (macop_t)mac_none_check_vnode_chroot }, { MAC_CHECK_VNODE_CREATE, (macop_t)mac_none_check_vnode_create }, { MAC_CHECK_VNODE_DELETE, (macop_t)mac_none_check_vnode_delete }, { MAC_CHECK_VNODE_DELETEACL, (macop_t)mac_none_check_vnode_deleteacl }, { MAC_CHECK_VNODE_EXEC, (macop_t)mac_none_check_vnode_exec }, { MAC_CHECK_VNODE_GETACL, (macop_t)mac_none_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_none_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_none_check_vnode_readlink }, { MAC_CHECK_VNODE_RELABEL, (macop_t)mac_none_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_none_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, (macop_t)mac_none_check_vnode_rename_to }, { MAC_CHECK_VNODE_REVOKE, (macop_t)mac_none_check_vnode_revoke }, { MAC_CHECK_VNODE_SETACL, (macop_t)mac_none_check_vnode_setacl }, { MAC_CHECK_VNODE_SETEXTATTR, (macop_t)mac_none_check_vnode_setextattr }, { MAC_CHECK_VNODE_SETFLAGS, (macop_t)mac_none_check_vnode_setflags }, { MAC_CHECK_VNODE_SETMODE, (macop_t)mac_none_check_vnode_setmode }, { MAC_CHECK_VNODE_SETOWNER, (macop_t)mac_none_check_vnode_setowner }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None", MPC_LOADTIME_FLAG_UNLOADOK, 0); Index: head/sys/security/mac_stub/mac_stub.c =================================================================== --- head/sys/security/mac_stub/mac_stub.c (revision 102111) +++ head/sys/security/mac_stub/mac_stub.c (revision 102112) @@ -1,1105 +1,1135 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * Generic mandatory access module that does nothing. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, none, CTLFLAG_RW, 0, "TrustedBSD mac_none policy controls"); static int mac_none_enabled = 0; SYSCTL_INT(_security_mac_none, OID_AUTO, enabled, CTLFLAG_RW, &mac_none_enabled, 0, "Enforce none policy"); /* * Policy module operations. */ static void mac_none_destroy(struct mac_policy_conf *conf) { } static void mac_none_init(struct mac_policy_conf *conf) { } /* * Label operations. */ static void mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) { } static void mac_none_init_cred(struct ucred *ucred, struct label *label) { } static void mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_init_ifnet(struct ifnet *ifnet, struct label *label) { } static void mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel) { } static int mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label) { return (0); } static void mac_none_init_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { } static void mac_none_init_socket(struct socket *socket, struct label *label, struct label *peerlabel) { } static void mac_none_init_pipe(struct pipe *pipe, struct label *label) { } static void mac_none_init_temp(struct label *label) { } static void mac_none_init_vnode(struct vnode *vp, struct label *label) { } static void mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) { } static void mac_none_destroy_cred(struct ucred *ucred, struct label *label) { } static void mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label) { } static void mac_none_destroy_ipq(struct ipq *ipq, struct label *label) { } static void mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label) { } static void mac_none_destroy_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { } static void mac_none_destroy_socket(struct socket *socket, struct label *label, struct label *peerlabel) { } static void mac_none_destroy_pipe(struct pipe *pipe, struct label *label) { } static void mac_none_destroy_temp(struct label *label) { } static void mac_none_destroy_vnode(struct vnode *vp, struct label *label) { } static int mac_none_externalize(struct label *label, struct mac *extmac) { return (0); } static int mac_none_internalize(struct label *label, struct mac *extmac) { return (0); } /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ static void mac_none_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_none_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { } static void mac_none_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { } static void mac_none_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_none_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_none_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { } static void mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { } static void mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, struct ucred *cred) { } static int mac_none_update_vnode_from_externalized(struct vnode *vp, struct label *vnodelabel, struct mac *extmac) { return (0); } static void mac_none_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel) { } /* * Labeling event operations: IPC object. */ static void mac_none_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_none_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { } static void mac_none_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { } static void mac_none_create_socket_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { } static void mac_none_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { } static void mac_none_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { } static void mac_none_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { } static void mac_none_set_socket_peer_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { } /* * Labeling event operations: network objects. */ static void mac_none_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { } static void mac_none_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { } static void mac_none_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { } static void mac_none_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { } static void mac_none_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } static void mac_none_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_none_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_none_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_none_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_none_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_none_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static int mac_none_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { return (1); } static void mac_none_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { } static void mac_none_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } /* * Labeling event operations: processes. */ static void mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { } static void mac_none_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel) { } static int mac_none_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vnodelabel) { return (0); } static void mac_none_create_proc0(struct ucred *cred) { } static void mac_none_create_proc1(struct ucred *cred) { } static void mac_none_relabel_cred(struct ucred *cred, struct label *newlabel) { } /* * Access control checks. */ static int mac_none_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnet_label) { return (0); } static int mac_none_check_cred_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int mac_none_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int mac_none_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *newlabel) { return (0); } static int mac_none_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_none_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { return (0); } static int mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { return (0); } static int mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { return (0); } static int mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { return (0); } static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { return (0); } static int mac_none_check_proc_sched(struct ucred *cred, struct proc *proc) { return (0); } static int mac_none_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { return (0); } static int mac_none_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_none_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_none_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_none_check_socket_listen(struct ucred *cred, struct vnode *vp, struct label *socketlabel) { return (0); } static int mac_none_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { return (0); } static int mac_none_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { return (0); } static int mac_none_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { return (0); } static int mac_none_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { return (0); } static int mac_none_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_none_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_none_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { return (0); } static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) { return (0); } static int mac_none_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { return (0); } static int mac_none_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { return (0); } static int mac_none_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { return (0); } static int mac_none_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_none_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { return (0); } static int mac_none_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_none_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { return (0); } static int mac_none_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { return (0); } static int mac_none_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { return (0); } static int mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime) { return (0); } static int mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, (macop_t)mac_none_destroy }, { MAC_INIT, (macop_t)mac_none_init }, { MAC_INIT_BPFDESC, (macop_t)mac_none_init_bpfdesc }, { MAC_INIT_CRED, (macop_t)mac_none_init_cred }, { MAC_INIT_DEVFSDIRENT, (macop_t)mac_none_init_devfsdirent }, { MAC_INIT_IFNET, (macop_t)mac_none_init_ifnet }, { MAC_INIT_IPQ, (macop_t)mac_none_init_ipq }, { MAC_INIT_MBUF, (macop_t)mac_none_init_mbuf }, { MAC_INIT_MOUNT, (macop_t)mac_none_init_mount }, { MAC_INIT_PIPE, (macop_t)mac_none_init_pipe }, { MAC_INIT_SOCKET, (macop_t)mac_none_init_socket }, { MAC_INIT_TEMP, (macop_t)mac_none_init_temp }, { MAC_INIT_VNODE, (macop_t)mac_none_init_vnode }, { MAC_DESTROY_BPFDESC, (macop_t)mac_none_destroy_bpfdesc }, { MAC_DESTROY_CRED, (macop_t)mac_none_destroy_cred }, { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_none_destroy_devfsdirent }, { MAC_DESTROY_IFNET, (macop_t)mac_none_destroy_ifnet }, { MAC_DESTROY_IPQ, (macop_t)mac_none_destroy_ipq }, { MAC_DESTROY_MBUF, (macop_t)mac_none_destroy_mbuf }, { MAC_DESTROY_MOUNT, (macop_t)mac_none_destroy_mount }, { MAC_DESTROY_PIPE, (macop_t)mac_none_destroy_pipe }, { MAC_DESTROY_SOCKET, (macop_t)mac_none_destroy_socket }, { MAC_DESTROY_TEMP, (macop_t)mac_none_destroy_temp }, { MAC_DESTROY_VNODE, (macop_t)mac_none_destroy_vnode }, { MAC_EXTERNALIZE, (macop_t)mac_none_externalize }, { MAC_INTERNALIZE, (macop_t)mac_none_internalize }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_none_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_none_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_none_create_devfs_vnode }, { MAC_CREATE_VNODE, (macop_t)mac_none_create_vnode }, { MAC_CREATE_MOUNT, (macop_t)mac_none_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_none_create_root_mount }, { MAC_RELABEL_VNODE, (macop_t)mac_none_relabel_vnode }, { MAC_UPDATE_DEVFSDIRENT, (macop_t)mac_none_update_devfsdirent }, { MAC_UPDATE_PROCFSVNODE, (macop_t)mac_none_update_procfsvnode }, { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, (macop_t)mac_none_update_vnode_from_externalized }, { MAC_UPDATE_VNODE_FROM_MOUNT, (macop_t)mac_none_update_vnode_from_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, (macop_t)mac_none_create_mbuf_from_socket }, { MAC_CREATE_PIPE, (macop_t)mac_none_create_pipe }, { MAC_CREATE_SOCKET, (macop_t)mac_none_create_socket }, { MAC_CREATE_SOCKET_FROM_SOCKET, (macop_t)mac_none_create_socket_from_socket }, { MAC_RELABEL_PIPE, (macop_t)mac_none_relabel_pipe }, { MAC_RELABEL_SOCKET, (macop_t)mac_none_relabel_socket }, { MAC_SET_SOCKET_PEER_FROM_MBUF, (macop_t)mac_none_set_socket_peer_from_mbuf }, { MAC_SET_SOCKET_PEER_FROM_SOCKET, (macop_t)mac_none_set_socket_peer_from_socket }, { MAC_CREATE_BPFDESC, (macop_t)mac_none_create_bpfdesc }, { MAC_CREATE_IFNET, (macop_t)mac_none_create_ifnet }, { MAC_CREATE_IPQ, (macop_t)mac_none_create_ipq }, { MAC_CREATE_DATAGRAM_FROM_IPQ, (macop_t)mac_none_create_datagram_from_ipq }, { MAC_CREATE_FRAGMENT, (macop_t)mac_none_create_fragment }, { MAC_CREATE_IPQ, (macop_t)mac_none_create_ipq }, { MAC_CREATE_MBUF_FROM_MBUF, (macop_t)mac_none_create_mbuf_from_mbuf }, { MAC_CREATE_MBUF_LINKLAYER, (macop_t)mac_none_create_mbuf_linklayer }, { MAC_CREATE_MBUF_FROM_BPFDESC, (macop_t)mac_none_create_mbuf_from_bpfdesc }, { MAC_CREATE_MBUF_FROM_IFNET, (macop_t)mac_none_create_mbuf_from_ifnet }, { MAC_CREATE_MBUF_MULTICAST_ENCAP, (macop_t)mac_none_create_mbuf_multicast_encap }, { MAC_CREATE_MBUF_NETLAYER, (macop_t)mac_none_create_mbuf_netlayer }, { MAC_FRAGMENT_MATCH, (macop_t)mac_none_fragment_match }, { MAC_RELABEL_IFNET, (macop_t)mac_none_relabel_ifnet }, { MAC_UPDATE_IPQ, (macop_t)mac_none_update_ipq }, { MAC_CREATE_CRED, (macop_t)mac_none_create_cred }, { MAC_EXECVE_TRANSITION, (macop_t)mac_none_execve_transition }, { MAC_EXECVE_WILL_TRANSITION, (macop_t)mac_none_execve_will_transition }, { MAC_CREATE_PROC0, (macop_t)mac_none_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_none_create_proc1 }, { MAC_RELABEL_CRED, (macop_t)mac_none_relabel_cred }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_none_check_bpfdesc_receive }, { MAC_CHECK_CRED_RELABEL, (macop_t)mac_none_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_IFNET_RELABEL, (macop_t)mac_none_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_none_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_none_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, (macop_t)mac_none_check_proc_sched }, { MAC_CHECK_PROC_SIGNAL, (macop_t)mac_none_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_none_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, (macop_t)mac_none_check_socket_connect }, { MAC_CHECK_SOCKET_DELIVER, (macop_t)mac_none_check_socket_deliver }, { MAC_CHECK_SOCKET_LISTEN, (macop_t)mac_none_check_socket_listen }, { MAC_CHECK_SOCKET_RELABEL, (macop_t)mac_none_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_none_check_socket_visible }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_none_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, (macop_t)mac_none_check_vnode_chdir }, { MAC_CHECK_VNODE_CHROOT, (macop_t)mac_none_check_vnode_chroot }, { MAC_CHECK_VNODE_CREATE, (macop_t)mac_none_check_vnode_create }, { MAC_CHECK_VNODE_DELETE, (macop_t)mac_none_check_vnode_delete }, { MAC_CHECK_VNODE_DELETEACL, (macop_t)mac_none_check_vnode_deleteacl }, { MAC_CHECK_VNODE_EXEC, (macop_t)mac_none_check_vnode_exec }, { MAC_CHECK_VNODE_GETACL, (macop_t)mac_none_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_none_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_none_check_vnode_readlink }, { MAC_CHECK_VNODE_RELABEL, (macop_t)mac_none_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_none_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, (macop_t)mac_none_check_vnode_rename_to }, { MAC_CHECK_VNODE_REVOKE, (macop_t)mac_none_check_vnode_revoke }, { MAC_CHECK_VNODE_SETACL, (macop_t)mac_none_check_vnode_setacl }, { MAC_CHECK_VNODE_SETEXTATTR, (macop_t)mac_none_check_vnode_setextattr }, { MAC_CHECK_VNODE_SETFLAGS, (macop_t)mac_none_check_vnode_setflags }, { MAC_CHECK_VNODE_SETMODE, (macop_t)mac_none_check_vnode_setmode }, { MAC_CHECK_VNODE_SETOWNER, (macop_t)mac_none_check_vnode_setowner }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None", MPC_LOADTIME_FLAG_UNLOADOK, 0); Index: head/sys/security/mac_test/mac_test.c =================================================================== --- head/sys/security/mac_test/mac_test.c (revision 102111) +++ head/sys/security/mac_test/mac_test.c (revision 102112) @@ -1,1311 +1,1341 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Developed by the TrustedBSD Project. * Generic mandatory access module that does nothing. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, "TrustedBSD mac_test policy controls"); static int mac_test_enabled = 0; SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, &mac_test_enabled, 0, "Enforce test policy"); #define BPFMAGIC 0xfe1ad1b6 #define DEVFSMAGIC 0x9ee79c32 #define IFNETMAGIC 0xc218b120 #define IPQMAGIC 0x206188ef #define MBUFMAGIC 0xbbefa5bb #define MOUNTMAGIC 0xc7c46e47 #define SOCKETMAGIC 0x9199c6cd #define PIPEMAGIC 0xdc6c9919 #define CREDMAGIC 0x9a5a4987 #define TEMPMAGIC 0x70336678 #define VNODEMAGIC 0x1a67a45c #define EXMAGIC 0x849ba1fd #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long static int test_slot; SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, &test_slot, 0, "Slot allocated by framework"); static int init_count_bpfdesc; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, &init_count_bpfdesc, 0, "bpfdesc init calls"); static int init_count_cred; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, &init_count_cred, 0, "cred init calls"); static int init_count_devfsdirent; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, &init_count_devfsdirent, 0, "devfsdirent init calls"); static int init_count_ifnet; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, &init_count_ifnet, 0, "ifnet init calls"); static int init_count_ipq; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, &init_count_ipq, 0, "ipq init calls"); static int init_count_mbuf; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, &init_count_mbuf, 0, "mbuf init calls"); static int init_count_mount; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, &init_count_mount, 0, "mount init calls"); static int init_count_socket; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, &init_count_socket, 0, "socket init calls"); static int init_count_pipe; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, &init_count_pipe, 0, "pipe init calls"); static int init_count_temp; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_temp, CTLFLAG_RD, &init_count_temp, 0, "temp init calls"); static int init_count_vnode; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, &init_count_vnode, 0, "vnode init calls"); static int destroy_count_bpfdesc; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); static int destroy_count_cred; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, &destroy_count_cred, 0, "cred destroy calls"); static int destroy_count_devfsdirent; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); static int destroy_count_ifnet; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, &destroy_count_ifnet, 0, "ifnet destroy calls"); static int destroy_count_ipq; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, &destroy_count_ipq, 0, "ipq destroy calls"); static int destroy_count_mbuf; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, &destroy_count_mbuf, 0, "mbuf destroy calls"); static int destroy_count_mount; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, &destroy_count_mount, 0, "mount destroy calls"); static int destroy_count_socket; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, &destroy_count_socket, 0, "socket destroy calls"); static int destroy_count_pipe; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, &destroy_count_pipe, 0, "pipe destroy calls"); static int destroy_count_temp; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_temp, CTLFLAG_RD, &destroy_count_temp, 0, "temp destroy calls"); static int destroy_count_vnode; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, &destroy_count_vnode, 0, "vnode destroy calls"); static int externalize_count; SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, &externalize_count, 0, "Subject/object externalize calls"); static int internalize_count; SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, &internalize_count, 0, "Subject/object internalize calls"); /* * Policy module operations. */ static void mac_test_destroy(struct mac_policy_conf *conf) { } static void mac_test_init(struct mac_policy_conf *conf) { } /* * Label operations. */ static void mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) { SLOT(label) = BPFMAGIC; atomic_add_int(&init_count_bpfdesc, 1); } static void mac_test_init_cred(struct ucred *ucred, struct label *label) { SLOT(label) = CREDMAGIC; atomic_add_int(&init_count_cred, 1); } static void mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { SLOT(label) = DEVFSMAGIC; atomic_add_int(&init_count_devfsdirent, 1); } static void mac_test_init_ifnet(struct ifnet *ifnet, struct label *label) { SLOT(label) = IFNETMAGIC; atomic_add_int(&init_count_ifnet, 1); } static void mac_test_init_ipq(struct ipq *ipq, struct label *label) { SLOT(label) = IPQMAGIC; atomic_add_int(&init_count_ipq, 1); } static int mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label) { SLOT(label) = MBUFMAGIC; atomic_add_int(&init_count_mbuf, 1); return (0); } static void mac_test_init_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { SLOT(mntlabel) = MOUNTMAGIC; SLOT(fslabel) = MOUNTMAGIC; atomic_add_int(&init_count_mount, 1); } static void mac_test_init_socket(struct socket *socket, struct label *label, struct label *peerlabel) { SLOT(label) = SOCKETMAGIC; SLOT(peerlabel) = SOCKETMAGIC; atomic_add_int(&init_count_socket, 1); } static void mac_test_init_pipe(struct pipe *pipe, struct label *label) { SLOT(label) = PIPEMAGIC; atomic_add_int(&init_count_pipe, 1); } static void mac_test_init_temp(struct label *label) { SLOT(label) = TEMPMAGIC; atomic_add_int(&init_count_temp, 1); } static void mac_test_init_vnode(struct vnode *vp, struct label *label) { SLOT(label) = VNODEMAGIC; atomic_add_int(&init_count_vnode, 1); } static void mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) { if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_bpfdesc, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_bpfdesc: dup destroy"); } else { Debugger("mac_test_destroy_bpfdesc: corrupted label"); } } static void mac_test_destroy_cred(struct ucred *ucred, struct label *label) { if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_cred, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_cred: dup destroy"); } else { Debugger("mac_test_destroy_cred: corrupted label"); } } static void mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, struct label *label) { if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_devfsdirent, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_devfsdirent: dup destroy"); } else { Debugger("mac_test_destroy_devfsdirent: corrupted label"); } } static void mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label) { if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_ifnet, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_ifnet: dup destroy"); } else { Debugger("mac_test_destroy_ifnet: corrupted label"); } } static void mac_test_destroy_ipq(struct ipq *ipq, struct label *label) { if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_ipq, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_ipq: dup destroy"); } else { Debugger("mac_test_destroy_ipq: corrupted label"); } } static void mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label) { if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_mbuf, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_mbuf: dup destroy"); } else { Debugger("mac_test_destroy_mbuf: corrupted label"); } } static void mac_test_destroy_mount(struct mount *mount, struct label *mntlabel, struct label *fslabel) { if ((SLOT(mntlabel) == MOUNTMAGIC || SLOT(mntlabel) == 0) && (SLOT(fslabel) == MOUNTMAGIC || SLOT(fslabel) == 0)) { atomic_add_int(&destroy_count_mount, 1); SLOT(mntlabel) = EXMAGIC; SLOT(fslabel) = EXMAGIC; } else if (SLOT(mntlabel) == EXMAGIC || SLOT(fslabel) == EXMAGIC) { Debugger("mac_test_destroy_mount: dup destroy"); } else { Debugger("mac_test_destroy_mount: corrupted label"); } } static void mac_test_destroy_socket(struct socket *socket, struct label *label, struct label *peerlabel) { if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0) && (SLOT(peerlabel) == SOCKETMAGIC || SLOT(peerlabel) == 0)) { atomic_add_int(&destroy_count_socket, 1); SLOT(label) = EXMAGIC; SLOT(peerlabel) = EXMAGIC; } else if (SLOT(label) == EXMAGIC || SLOT(peerlabel) == EXMAGIC) { Debugger("mac_test_destroy_socket: dup destroy"); } else { Debugger("mac_test_destroy_socket: corrupted label"); } } static void mac_test_destroy_pipe(struct pipe *pipe, struct label *label) { if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { atomic_add_int(&destroy_count_pipe, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_pipe: dup destroy"); } else { Debugger("mac_test_destroy_pipe: corrupted label"); } } static void mac_test_destroy_temp(struct label *label) { if (SLOT(label) == TEMPMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_temp, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_temp: dup destroy"); } else { Debugger("mac_test_destroy_temp: corrupted label"); } } static void mac_test_destroy_vnode(struct vnode *vp, struct label *label) { if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { atomic_add_int(&destroy_count_vnode, 1); SLOT(label) = EXMAGIC; } else if (SLOT(label) == EXMAGIC) { Debugger("mac_test_destroy_vnode: dup destroy"); } else { Debugger("mac_test_destroy_vnode: corrupted label"); } } static int mac_test_externalize(struct label *label, struct mac *extmac) { atomic_add_int(&externalize_count, 1); return (0); } static int mac_test_internalize(struct label *label, struct mac *extmac) { atomic_add_int(&internalize_count, 1); return (0); } /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ static void mac_test_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_test_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { } static void mac_test_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { } static void mac_test_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { } static void mac_test_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_test_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { } static void mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { } static void mac_test_update_devfsdirent(struct devfs_dirent *devfs_dirent, struct vnode *vp) { } static void mac_test_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, struct ucred *cred) { } static int mac_test_update_vnode_from_externalized(struct vnode *vp, struct label *vnodelabel, struct mac *extmac) { return (0); } static void mac_test_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel) { } /* * Labeling event operations: IPC object. */ static void mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_test_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { } static void mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { } static void mac_test_create_socket_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { } static void mac_test_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { } static void mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { } static void mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { } /* * Labeling event operations: network objects. */ static void mac_test_set_socket_peer_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { } static void mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { } static void mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { } static void mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { } static void mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { } static void mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } static void mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { } static void mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { } static void mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static void mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { } static int mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { return (1); } static void mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { } static void mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { } /* * Labeling event operations: processes. */ static void mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { } static void mac_test_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel) { } static int mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *filelabel) { return (0); } static void mac_test_create_proc0(struct ucred *cred) { } static void mac_test_create_proc1(struct ucred *cred) { } static void mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) { } /* * Access control checks. */ static int mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { return (0); } static int mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { return (0); } static int mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { return (0); } static int mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { return (0); } static int mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { return (0); } static int mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { return (0); } static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { return (0); } static int mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) { return (0); } static int mac_test_check_proc_signal(struct ucred *cred, struct proc *proc) { return (0); } static int mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { return (0); } static int mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { return (0); } static int mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { return (0); } static int mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { return (0); } static int mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { return (0); } static int mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { return (0); } static int mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { return (0); } static int mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { return (0); } static int +mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { return (0); } static int mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { return (0); } static int mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { return (0); } static int mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { return (0); } static int mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { return (0); } static int mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } static int mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { return (0); } static int mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { return (0); } static int mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { return (0); } static int mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { return (0); } static int mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { return (0); } static int mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime) { return (0); } static int mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp, struct label *label) { return (0); } +static int +mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_test_ops[] = { { MAC_DESTROY, (macop_t)mac_test_destroy }, { MAC_INIT, (macop_t)mac_test_init }, { MAC_INIT_BPFDESC, (macop_t)mac_test_init_bpfdesc }, { MAC_INIT_CRED, (macop_t)mac_test_init_cred }, { MAC_INIT_DEVFSDIRENT, (macop_t)mac_test_init_devfsdirent }, { MAC_INIT_IFNET, (macop_t)mac_test_init_ifnet }, { MAC_INIT_IPQ, (macop_t)mac_test_init_ipq }, { MAC_INIT_MBUF, (macop_t)mac_test_init_mbuf }, { MAC_INIT_MOUNT, (macop_t)mac_test_init_mount }, { MAC_INIT_PIPE, (macop_t)mac_test_init_pipe }, { MAC_INIT_SOCKET, (macop_t)mac_test_init_socket }, { MAC_INIT_TEMP, (macop_t)mac_test_init_temp }, { MAC_INIT_VNODE, (macop_t)mac_test_init_vnode }, { MAC_DESTROY_BPFDESC, (macop_t)mac_test_destroy_bpfdesc }, { MAC_DESTROY_CRED, (macop_t)mac_test_destroy_cred }, { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_test_destroy_devfsdirent }, { MAC_DESTROY_IFNET, (macop_t)mac_test_destroy_ifnet }, { MAC_DESTROY_IPQ, (macop_t)mac_test_destroy_ipq }, { MAC_DESTROY_MBUF, (macop_t)mac_test_destroy_mbuf }, { MAC_DESTROY_MOUNT, (macop_t)mac_test_destroy_mount }, { MAC_DESTROY_PIPE, (macop_t)mac_test_destroy_pipe }, { MAC_DESTROY_SOCKET, (macop_t)mac_test_destroy_socket }, { MAC_DESTROY_TEMP, (macop_t)mac_test_destroy_temp }, { MAC_DESTROY_VNODE, (macop_t)mac_test_destroy_vnode }, { MAC_EXTERNALIZE, (macop_t)mac_test_externalize }, { MAC_INTERNALIZE, (macop_t)mac_test_internalize }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_test_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_test_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_test_create_devfs_vnode }, { MAC_CREATE_VNODE, (macop_t)mac_test_create_vnode }, { MAC_CREATE_MOUNT, (macop_t)mac_test_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_test_create_root_mount }, { MAC_RELABEL_VNODE, (macop_t)mac_test_relabel_vnode }, { MAC_UPDATE_DEVFSDIRENT, (macop_t)mac_test_update_devfsdirent }, { MAC_UPDATE_PROCFSVNODE, (macop_t)mac_test_update_procfsvnode }, { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, (macop_t)mac_test_update_vnode_from_externalized }, { MAC_UPDATE_VNODE_FROM_MOUNT, (macop_t)mac_test_update_vnode_from_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, (macop_t)mac_test_create_mbuf_from_socket }, { MAC_CREATE_PIPE, (macop_t)mac_test_create_pipe }, { MAC_CREATE_SOCKET, (macop_t)mac_test_create_socket }, { MAC_CREATE_SOCKET_FROM_SOCKET, (macop_t)mac_test_create_socket_from_socket }, { MAC_RELABEL_PIPE, (macop_t)mac_test_relabel_pipe }, { MAC_RELABEL_SOCKET, (macop_t)mac_test_relabel_socket }, { MAC_SET_SOCKET_PEER_FROM_MBUF, (macop_t)mac_test_set_socket_peer_from_mbuf }, { MAC_SET_SOCKET_PEER_FROM_SOCKET, (macop_t)mac_test_set_socket_peer_from_socket }, { MAC_CREATE_BPFDESC, (macop_t)mac_test_create_bpfdesc }, { MAC_CREATE_IFNET, (macop_t)mac_test_create_ifnet }, { MAC_CREATE_DATAGRAM_FROM_IPQ, (macop_t)mac_test_create_datagram_from_ipq }, { MAC_CREATE_FRAGMENT, (macop_t)mac_test_create_fragment }, { MAC_CREATE_IPQ, (macop_t)mac_test_create_ipq }, { MAC_CREATE_MBUF_FROM_MBUF, (macop_t)mac_test_create_mbuf_from_mbuf }, { MAC_CREATE_MBUF_LINKLAYER, (macop_t)mac_test_create_mbuf_linklayer }, { MAC_CREATE_MBUF_FROM_BPFDESC, (macop_t)mac_test_create_mbuf_from_bpfdesc }, { MAC_CREATE_MBUF_FROM_IFNET, (macop_t)mac_test_create_mbuf_from_ifnet }, { MAC_CREATE_MBUF_MULTICAST_ENCAP, (macop_t)mac_test_create_mbuf_multicast_encap }, { MAC_CREATE_MBUF_NETLAYER, (macop_t)mac_test_create_mbuf_netlayer }, { MAC_FRAGMENT_MATCH, (macop_t)mac_test_fragment_match }, { MAC_RELABEL_IFNET, (macop_t)mac_test_relabel_ifnet }, { MAC_UPDATE_IPQ, (macop_t)mac_test_update_ipq }, { MAC_CREATE_CRED, (macop_t)mac_test_create_cred }, { MAC_EXECVE_TRANSITION, (macop_t)mac_test_execve_transition }, { MAC_EXECVE_WILL_TRANSITION, (macop_t)mac_test_execve_will_transition }, { MAC_CREATE_PROC0, (macop_t)mac_test_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_test_create_proc1 }, { MAC_RELABEL_CRED, (macop_t)mac_test_relabel_cred }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_test_check_bpfdesc_receive }, { MAC_CHECK_CRED_RELABEL, (macop_t)mac_test_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_test_check_cred_visible }, { MAC_CHECK_IFNET_RELABEL, (macop_t)mac_test_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_test_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_test_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_test_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_test_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_test_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_test_check_proc_debug }, { MAC_CHECK_PROC_SCHED, (macop_t)mac_test_check_proc_sched }, { MAC_CHECK_PROC_SIGNAL, (macop_t)mac_test_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_test_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, (macop_t)mac_test_check_socket_connect }, { MAC_CHECK_SOCKET_DELIVER, (macop_t)mac_test_check_socket_deliver }, { MAC_CHECK_SOCKET_LISTEN, (macop_t)mac_test_check_socket_listen }, { MAC_CHECK_SOCKET_RELABEL, (macop_t)mac_test_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_test_check_socket_visible }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_test_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, (macop_t)mac_test_check_vnode_chdir }, { MAC_CHECK_VNODE_CHROOT, (macop_t)mac_test_check_vnode_chroot }, { MAC_CHECK_VNODE_CREATE, (macop_t)mac_test_check_vnode_create }, { MAC_CHECK_VNODE_DELETE, (macop_t)mac_test_check_vnode_delete }, { MAC_CHECK_VNODE_DELETEACL, (macop_t)mac_test_check_vnode_deleteacl }, { MAC_CHECK_VNODE_EXEC, (macop_t)mac_test_check_vnode_exec }, { MAC_CHECK_VNODE_GETACL, (macop_t)mac_test_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_test_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_test_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_test_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_test_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_test_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_test_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_test_check_vnode_readlink }, { MAC_CHECK_VNODE_RELABEL, (macop_t)mac_test_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_test_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, (macop_t)mac_test_check_vnode_rename_to }, { MAC_CHECK_VNODE_REVOKE, (macop_t)mac_test_check_vnode_revoke }, { MAC_CHECK_VNODE_SETACL, (macop_t)mac_test_check_vnode_setacl }, { MAC_CHECK_VNODE_SETEXTATTR, (macop_t)mac_test_check_vnode_setextattr }, { MAC_CHECK_VNODE_SETFLAGS, (macop_t)mac_test_check_vnode_setflags }, { MAC_CHECK_VNODE_SETMODE, (macop_t)mac_test_check_vnode_setmode }, { MAC_CHECK_VNODE_SETOWNER, (macop_t)mac_test_check_vnode_setowner }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_test_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_test_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_test_check_vnode_write }, { MAC_OP_LAST, NULL } }; MAC_POLICY_SET(mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test", MPC_LOADTIME_FLAG_UNLOADOK, &test_slot); Index: head/sys/sys/mac.h =================================================================== --- head/sys/sys/mac.h (revision 102111) +++ head/sys/sys/mac.h (revision 102112) @@ -1,391 +1,393 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Userland/kernel interface for Mandatory Access Control. * * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ */ #ifndef _SYS_MAC_H #define _SYS_MAC_H #include #ifndef _POSIX_MAC #define _POSIX_MAC #endif /* * XXXMAC: The single MAC extended attribute will be deprecated once * compound EA writes on a single target file can be performed cleanly * with UFS2. */ #define FREEBSD_MAC_EXTATTR_NAME "freebsd.mac" #define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM /* * XXXMAC: Per-policy structures will be moved from mac.h to per-policy * include files once the revised user interface is available. */ /* * Structures and constants associated with a Biba Integrity policy. * mac_biba represents a Biba label, with mb_type determining its properties, * and mb_grade represents the hierarchal grade if valid for the current * mb_type. These structures will move to mac_biba.h once we have dymamic * labels exposed to userland. */ struct mac_biba_element { u_short mbe_type; u_short mbe_grade; }; /* * Biba labels consist of two components: a single label, and a label * range. Depending on the context, one or both may be used; the mb_flags * field permits the provider to indicate what fields are intended for * use. */ struct mac_biba { int mb_flags; struct mac_biba_element mb_single; struct mac_biba_element mb_rangelow, mb_rangehigh; }; /* * Structures and constants associated with a Multi-Level Security policy. * mac_mls represents an MLS label, with mm_type determining its properties, * and mm_level represents the hierarchal sensitivity level if valid for the * current mm_type. These structures will move to mac_mls.h once we have * dynamic labels exposed to userland. */ struct mac_mls_element { u_short mme_type; u_short mme_level; }; /* * MLS labels consist of two components: a single label, and a label * range. Depending on the context, one or both may be used; the mb_flags * field permits the provider to indicate what fields are intended for * use. */ struct mac_mls { int mm_flags; struct mac_mls_element mm_single; struct mac_mls_element mm_rangelow, mm_rangehigh; }; /* * Structures and constants associated with a Type Enforcement policy. * mac_te represents a Type Enforcement label. */ #define MAC_TE_TYPE_MAXLEN 32 struct mac_te { char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */ }; struct mac_sebsd { uint32_t ms_psid; /* persistent sid storage */ }; /* * Composite structures and constants which combine the various policy * elements into common structures to be associated with subjects and * objects. */ struct mac { int m_macflags; struct mac_biba m_biba; struct mac_mls m_mls; struct mac_te m_te; struct mac_sebsd m_sebsd; }; typedef struct mac *mac_t; #define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */ #ifndef _KERNEL /* * POSIX.1e functions visible in the application namespace. */ int mac_dominate(const mac_t _labela, const mac_t _labelb); int mac_equal(const mac_t labela, const mac_t _labelb); int mac_free(void *_buf_p); mac_t mac_from_text(const char *_text_p); mac_t mac_get_fd(int _fildes); mac_t mac_get_file(const char *_path_p); mac_t mac_get_proc(void); mac_t mac_glb(const mac_t _labela, const mac_t _labelb); mac_t mac_lub(const mac_t _labela, const mac_t _labelb); int mac_set_fd(int _fildes, const mac_t _label); int mac_set_file(const char *_path_p, mac_t _label); int mac_set_proc(const mac_t _label); ssize_t mac_size(mac_t _label); char * mac_to_text(const mac_t _label, size_t *_len_p); int mac_valid(const mac_t _label); /* * Extensions to POSIX.1e visible in the application namespace. */ int mac_is_present_np(const char *_policyname); int mac_policy(const char *_policyname, int call, void *arg); /* * System calls wrapped by some POSIX.1e functions. */ int __mac_get_fd(int _fd, struct mac *_mac_p); int __mac_get_file(const char *_path_p, struct mac *_mac_p); int __mac_get_proc(struct mac *_mac_p); int __mac_set_fd(int fd, struct mac *_mac_p); int __mac_set_file(const char *_path_p, struct mac *_mac_p); int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ /* * MAC entry point operations */ enum mac_ep_ops { MAC_OP_VNODE_READ, MAC_OP_VNODE_WRITE, MAC_OP_VNODE_POLL, MAC_OP_PIPE_READ, MAC_OP_PIPE_WRITE, MAC_OP_PIPE_STAT, MAC_OP_PIPE_POLL }; /* * Kernel functions to manage and evaluate labels. */ struct bpf_d; struct componentname; struct devfs_dirent; struct ifnet; struct ifreq; struct ipq; struct mbuf; struct mount; struct proc; struct sockaddr; struct socket; struct pipe; struct timespec; struct ucred; struct uio; struct vattr; struct vnode; #include /* XXX acl_type_t */ struct vop_refreshlabel_args; struct vop_setlabel_args; /* * Label operations. */ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); void mac_init_ipq(struct ipq *); void mac_init_socket(struct socket *); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int how); void mac_init_mount(struct mount *); void mac_init_vnode(struct vnode *); void mac_destroy_bpfdesc(struct bpf_d *); void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); void mac_destroy_ifnet(struct ifnet *); void mac_destroy_ipq(struct ipq *); void mac_destroy_socket(struct socket *); void mac_destroy_pipe(struct pipe *); void mac_destroy_mbuf(struct mbuf *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de); void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child); void mac_create_mount(struct ucred *cred, struct mount *mp); void mac_create_root_mount(struct ucred *cred, struct mount *mp); void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel); void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp); void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred); void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp); /* * Labeling event operations: IPC objects. */ void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); void mac_create_socket(struct ucred *cred, struct socket *socket); void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket); void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket); void mac_set_socket_peer_from_socket(struct socket *oldsocket, struct socket *newsocket); void mac_create_pipe(struct ucred *cred, struct pipe *pipe); /* * Labeling event operations: network objects. */ void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); void mac_create_ifnet(struct ifnet *ifp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); void mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); /* * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp); int mac_execve_will_transition(struct ucred *old, struct vnode *vp); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); /* Access control checks. */ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp); int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags); int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet); int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet); int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label); /* * Calls to help various file systems implement labeling functionality * using their existing EA implementation. */ int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred); int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap); int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); #endif /* _KERNEL */ #endif /* !_SYS_MAC_H */ Index: head/sys/sys/mac_policy.h =================================================================== --- head/sys/sys/mac_policy.h (revision 102111) +++ head/sys/sys/mac_policy.h (revision 102112) @@ -1,492 +1,498 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by NAI Labs, * the Security Research Division of Network Associates, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The names of the authors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Kernel interface for MAC policy modules. */ #ifndef _SYS_MAC_POLICY_H #define _SYS_MAC_POLICY_H /*- * Pluggable access control policy definition structure. * * List of operations that are performed as part of the implementation * of a MAC policy. Policy implementors declare operations with a * mac_policy_ops structure, and using the MAC_POLICY_SET() macro. * If an entry point is not declared, then then the policy will be ignored * during evaluation of that event or check. * * Operations are sorted first by general class of operation, then * alphabetically. */ struct mac_policy_conf; struct mac_policy_ops { /* * Policy module operations. */ void (*mpo_destroy)(struct mac_policy_conf *mpc); void (*mpo_init)(struct mac_policy_conf *mpc); /* * Label operations. */ void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label); void (*mpo_init_cred)(struct ucred *, struct label *label); void (*mpo_init_devfsdirent)(struct devfs_dirent *, struct label *label); void (*mpo_init_ifnet)(struct ifnet *, struct label *label); void (*mpo_init_ipq)(struct ipq *ipq, struct label *label); int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label); void (*mpo_init_mount)(struct mount *, struct label *mntlabel, struct label *fslabel); void (*mpo_init_socket)(struct socket *so, struct label *label, struct label *peerlabel); void (*mpo_init_pipe)(struct pipe *pipe, struct label *label); void (*mpo_init_temp)(struct label *label); void (*mpo_init_vnode)(struct vnode *, struct label *label); void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label); void (*mpo_destroy_cred)(struct ucred *, struct label *label); void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de, struct label *label); void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label); void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label); void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label); void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel, struct label *fslabel); void (*mpo_destroy_socket)(struct socket *so, struct label *label, struct label *peerlabel); void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label); void (*mpo_destroy_temp)(struct label *label); void (*mpo_destroy_vnode)(struct vnode *, struct label *label); int (*mpo_externalize)(struct label *label, struct mac *extmac); int (*mpo_internalize)(struct label *label, struct mac *extmac); /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_vnode)(struct devfs_dirent *de, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel); void (*mpo_create_vnode)(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel); void (*mpo_create_mount)(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel); void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp, struct label *mountlabel, struct label *fslabel); void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label); int (*mpo_stdcreatevnode_ea)(struct vnode *vp, struct label *vnodelabel); void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel); void (*mpo_update_procfsvnode)(struct vnode *vp, struct label *vnodelabel, struct ucred *cred); int (*mpo_update_vnode_from_extattr)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); int (*mpo_update_vnode_from_externalized)(struct vnode *vp, struct label *vnodelabel, struct mac *mac); void (*mpo_update_vnode_from_mount)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); /* * Labeling event operations: IPC objects. */ void (*mpo_create_mbuf_from_socket)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); void (*mpo_create_socket)(struct ucred *cred, struct socket *so, struct label *socketlabel); void (*mpo_create_socket_from_socket)(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel); void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); void (*mpo_relabel_pipe)(struct ucred *cred, struct pipe *pipe, struct label *oldlabel, struct label *newlabel); void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, struct label *mbuflabel, struct socket *so, struct label *socketpeerlabel); void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel); void (*mpo_create_pipe)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel); /* * Labeling event operations: network objects. */ void (*mpo_create_bpfdesc)(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel); void (*mpo_create_ifnet)(struct ifnet *ifnet, struct label *ifnetlabel); void (*mpo_create_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); void (*mpo_create_datagram_from_ipq) (struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel); void (*mpo_create_fragment)(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel); void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, struct label *oldlabel, struct mbuf *newmbuf, struct label *newlabel); void (*mpo_create_mbuf_linklayer)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_from_bpfdesc)(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_from_ifnet)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel); void (*mpo_create_mbuf_multicast_encap)(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel); void (*mpo_create_mbuf_netlayer)(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel); int (*mpo_fragment_match)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); void (*mpo_update_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); /* * Labeling event operations: processes. */ void (*mpo_create_cred)(struct ucred *parent_cred, struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel); int (*mpo_execve_will_transition)(struct ucred *old, struct vnode *vp, struct label *vnodelabel); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, struct label *newlabel); /* * Access control checks. */ int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); int (*mpo_check_cred_relabel)(struct ucred *cred, struct label *newlabel); int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); int (*mpo_check_ifnet_relabel)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel); int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); int (*mpo_check_socket_connect)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); int (*mpo_check_socket_deliver)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct label *newlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_chroot)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_create)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap); int (*mpo_check_vnode_delete)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, void *label, struct componentname *cnp); int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_relabel)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel); int (*mpo_check_vnode_rename_from)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp); int (*mpo_check_vnode_rename_to)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp); int (*mpo_check_vnode_revoke)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_setacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl); int (*mpo_check_vnode_setextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); int (*mpo_check_vnode_setflags)(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags); int (*mpo_check_vnode_setmode)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode); int (*mpo_check_vnode_setowner)(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid); int (*mpo_check_vnode_setutimes)(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; enum mac_op_constant { MAC_OP_LAST, MAC_DESTROY, MAC_INIT, MAC_INIT_BPFDESC, MAC_INIT_CRED, MAC_INIT_DEVFSDIRENT, MAC_INIT_IFNET, MAC_INIT_IPQ, MAC_INIT_MBUF, MAC_INIT_MOUNT, MAC_INIT_PIPE, MAC_INIT_SOCKET, MAC_INIT_TEMP, MAC_INIT_VNODE, MAC_DESTROY_BPFDESC, MAC_DESTROY_CRED, MAC_DESTROY_DEVFSDIRENT, MAC_DESTROY_IFNET, MAC_DESTROY_IPQ, MAC_DESTROY_MBUF, MAC_DESTROY_MOUNT, MAC_DESTROY_PIPE, MAC_DESTROY_SOCKET, MAC_DESTROY_TEMP, MAC_DESTROY_VNODE, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_CREATE_DEVFS_DEVICE, MAC_CREATE_DEVFS_DIRECTORY, MAC_CREATE_DEVFS_VNODE, MAC_CREATE_VNODE, MAC_CREATE_MOUNT, MAC_CREATE_ROOT_MOUNT, MAC_RELABEL_VNODE, MAC_STDCREATEVNODE_EA, MAC_UPDATE_DEVFSDIRENT, MAC_UPDATE_PROCFSVNODE, MAC_UPDATE_VNODE_FROM_EXTATTR, MAC_UPDATE_VNODE_FROM_EXTERNALIZED, MAC_UPDATE_VNODE_FROM_MOUNT, MAC_CREATE_MBUF_FROM_SOCKET, MAC_CREATE_PIPE, MAC_CREATE_SOCKET, MAC_CREATE_SOCKET_FROM_SOCKET, MAC_RELABEL_PIPE, MAC_RELABEL_SOCKET, MAC_SET_SOCKET_PEER_FROM_MBUF, MAC_SET_SOCKET_PEER_FROM_SOCKET, MAC_CREATE_BPFDESC, MAC_CREATE_DATAGRAM_FROM_IPQ, MAC_CREATE_IFNET, MAC_CREATE_IPQ, MAC_CREATE_FRAGMENT, MAC_CREATE_MBUF_FROM_MBUF, MAC_CREATE_MBUF_LINKLAYER, MAC_CREATE_MBUF_FROM_BPFDESC, MAC_CREATE_MBUF_FROM_IFNET, MAC_CREATE_MBUF_MULTICAST_ENCAP, MAC_CREATE_MBUF_NETLAYER, MAC_FRAGMENT_MATCH, MAC_RELABEL_IFNET, MAC_UPDATE_IPQ, MAC_CREATE_CRED, MAC_EXECVE_TRANSITION, MAC_EXECVE_WILL_TRANSITION, MAC_CREATE_PROC0, MAC_CREATE_PROC1, MAC_RELABEL_CRED, MAC_CHECK_BPFDESC_RECEIVE, MAC_CHECK_CRED_RELABEL, MAC_CHECK_CRED_VISIBLE, MAC_CHECK_IFNET_RELABEL, MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, MAC_CHECK_PIPE_OP, MAC_CHECK_PIPE_RELABEL, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, MAC_CHECK_SOCKET_BIND, MAC_CHECK_SOCKET_CONNECT, MAC_CHECK_SOCKET_DELIVER, MAC_CHECK_SOCKET_LISTEN, MAC_CHECK_SOCKET_RELABEL, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, MAC_CHECK_VNODE_CREATE, MAC_CHECK_VNODE_DELETE, MAC_CHECK_VNODE_DELETEACL, MAC_CHECK_VNODE_EXEC, MAC_CHECK_VNODE_GETACL, MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, MAC_CHECK_VNODE_RENAME_FROM, MAC_CHECK_VNODE_RENAME_TO, MAC_CHECK_VNODE_REVOKE, MAC_CHECK_VNODE_SETACL, MAC_CHECK_VNODE_SETEXTATTR, MAC_CHECK_VNODE_SETFLAGS, MAC_CHECK_VNODE_SETMODE, MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry { enum mac_op_constant mpe_constant; /* what this hook implements */ macop_t mpe_function; /* hook's implementation */ }; struct mac_policy_conf { char *mpc_name; /* policy name */ char *mpc_fullname; /* policy full name */ struct mac_policy_ops *mpc_ops; /* policy operations */ struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ int mpc_loadtime_flags; /* flags */ int *mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; /* Flags for the mpc_loadtime_flags field. */ #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 #define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ #mpname, \ mpfullname, \ NULL, \ mpents, \ mpflags, \ privdata_wanted, \ 0, \ }; \ static moduledata_t mpname##_mod = { \ #mpname, \ mac_policy_modevent, \ &mpname##_mac_policy_conf \ }; \ MODULE_DEPEND(mpname, kernel_mac_support, 1, 1, 1); \ DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ SI_ORDER_MIDDLE) int mac_policy_modevent(module_t mod, int type, void *data); #define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] #endif /* !_SYS_MAC_POLICY_H */