Index: head/sys/kern/vfs_lookup.c =================================================================== --- head/sys/kern/vfs_lookup.c (revision 357888) +++ head/sys/kern/vfs_lookup.c (revision 357889) @@ -1,1518 +1,1515 @@ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 1982, 1986, 1989, 1993 * The Regents of the University of California. All rights reserved. * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94 */ #include __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_ktrace.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef KTRACE #include #endif #include #include #include #define NAMEI_DIAGNOSTIC 1 #undef NAMEI_DIAGNOSTIC SDT_PROVIDER_DECLARE(vfs); SDT_PROBE_DEFINE3(vfs, namei, lookup, entry, "struct vnode *", "char *", "unsigned long"); SDT_PROBE_DEFINE2(vfs, namei, lookup, return, "int", "struct vnode *"); /* Allocation zone for namei. */ uma_zone_t namei_zone; /* Placeholder vnode for mp traversal. */ static struct vnode *vp_crossmp; static int crossmp_vop_islocked(struct vop_islocked_args *ap) { return (LK_SHARED); } static int crossmp_vop_lock1(struct vop_lock1_args *ap) { struct vnode *vp; struct lock *lk __unused; const char *file __unused; int flags, line __unused; vp = ap->a_vp; lk = vp->v_vnlock; flags = ap->a_flags; file = ap->a_file; line = ap->a_line; if ((flags & LK_SHARED) == 0) panic("invalid lock request for crossmp"); WITNESS_CHECKORDER(&lk->lock_object, LOP_NEWORDER, file, line, flags & LK_INTERLOCK ? &VI_MTX(vp)->lock_object : NULL); WITNESS_LOCK(&lk->lock_object, 0, file, line); if ((flags & LK_INTERLOCK) != 0) VI_UNLOCK(vp); LOCK_LOG_LOCK("SLOCK", &lk->lock_object, 0, 0, ap->a_file, line); return (0); } static int crossmp_vop_unlock(struct vop_unlock_args *ap) { struct vnode *vp; struct lock *lk __unused; vp = ap->a_vp; lk = vp->v_vnlock; WITNESS_UNLOCK(&lk->lock_object, 0, LOCK_FILE, LOCK_LINE); LOCK_LOG_LOCK("SUNLOCK", &lk->lock_object, 0, 0, LOCK_FILE, LOCK_LINE); return (0); } static struct vop_vector crossmp_vnodeops = { .vop_default = &default_vnodeops, .vop_islocked = crossmp_vop_islocked, .vop_lock1 = crossmp_vop_lock1, .vop_unlock = crossmp_vop_unlock, }; /* * VFS_VOP_VECTOR_REGISTER(crossmp_vnodeops) is not used here since the vnode * gets allocated early. See nameiinit for the direct call below. */ struct nameicap_tracker { struct vnode *dp; TAILQ_ENTRY(nameicap_tracker) nm_link; }; /* Zone for cap mode tracker elements used for dotdot capability checks. */ static uma_zone_t nt_zone; static void nameiinit(void *dummy __unused) { namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); nt_zone = uma_zcreate("rentr", sizeof(struct nameicap_tracker), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); vfs_vector_op_register(&crossmp_vnodeops); getnewvnode("crossmp", NULL, &crossmp_vnodeops, &vp_crossmp); } SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL); static int lookup_cap_dotdot = 1; SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot, CTLFLAG_RWTUN, &lookup_cap_dotdot, 0, "enables \"..\" components in path lookup in capability mode"); static int lookup_cap_dotdot_nonlocal = 1; SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot_nonlocal, CTLFLAG_RWTUN, &lookup_cap_dotdot_nonlocal, 0, "enables \"..\" components in path lookup in capability mode " "on non-local mount"); static void nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp) { struct nameicap_tracker *nt; if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR) return; if ((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_BENEATH_LATCHED)) == NI_LCF_BENEATH_ABS) { MPASS((ndp->ni_lcf & NI_LCF_LATCH) != 0); if (dp != ndp->ni_beneath_latch) return; ndp->ni_lcf |= NI_LCF_BENEATH_LATCHED; } nt = uma_zalloc(nt_zone, M_WAITOK); vhold(dp); nt->dp = dp; TAILQ_INSERT_TAIL(&ndp->ni_cap_tracker, nt, nm_link); } static void nameicap_cleanup(struct nameidata *ndp, bool clean_latch) { struct nameicap_tracker *nt, *nt1; KASSERT(TAILQ_EMPTY(&ndp->ni_cap_tracker) || (ndp->ni_lcf & NI_LCF_CAP_DOTDOT) != 0, ("not strictrelative")); TAILQ_FOREACH_SAFE(nt, &ndp->ni_cap_tracker, nm_link, nt1) { TAILQ_REMOVE(&ndp->ni_cap_tracker, nt, nm_link); vdrop(nt->dp); uma_zfree(nt_zone, nt); } if (clean_latch && (ndp->ni_lcf & NI_LCF_LATCH) != 0) { ndp->ni_lcf &= ~NI_LCF_LATCH; vrele(ndp->ni_beneath_latch); } } /* * For dotdot lookups in capability mode, only allow the component * lookup to succeed if the resulting directory was already traversed * during the operation. Also fail dotdot lookups for non-local * filesystems, where external agents might assist local lookups to * escape the compartment. */ static int nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) { struct nameicap_tracker *nt; struct mount *mp; if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp == NULL || dp->v_type != VDIR) return (0); mp = dp->v_mount; if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL && (mp->mnt_flag & MNT_LOCAL) == 0) return (ENOTCAPABLE); TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head, nm_link) { if (dp == nt->dp) return (0); } if ((ndp->ni_lcf & NI_LCF_BENEATH_ABS) != 0) { ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED; nameicap_cleanup(ndp, false); return (0); } return (ENOTCAPABLE); } static void namei_cleanup_cnp(struct componentname *cnp) { uma_zfree(namei_zone, cnp->cn_pnbuf); #ifdef DIAGNOSTIC cnp->cn_pnbuf = NULL; cnp->cn_nameptr = NULL; #endif } static int namei_handle_root(struct nameidata *ndp, struct vnode **dpp, u_int n) { struct componentname *cnp; cnp = &ndp->ni_cnd; if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) { #ifdef KTRACE if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif return (ENOTCAPABLE); } if ((cnp->cn_flags & BENEATH) != 0) { ndp->ni_lcf |= NI_LCF_BENEATH_ABS; ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED; nameicap_cleanup(ndp, false); } while (*(cnp->cn_nameptr) == '/') { cnp->cn_nameptr++; ndp->ni_pathlen--; } *dpp = ndp->ni_rootdir; vrefactn(*dpp, n); return (0); } /* * Convert a pathname into a pointer to a locked vnode. * * The FOLLOW flag is set when symbolic links are to be followed * when they occur at the end of the name translation process. * Symbolic links are always followed for all other pathname * components other than the last. * * The segflg defines whether the name is to be copied from user * space or kernel space. * * Overall outline of namei: * * copy in name * get starting directory * while (!done && !error) { * call lookup to search path. * if symbolic link, massage name in buffer and continue * } */ int namei(struct nameidata *ndp) { struct filedesc *fdp; /* pointer to file descriptor state */ char *cp; /* pointer into pathname argument */ struct vnode *dp; /* the directory we are searching */ struct iovec aiov; /* uio for reading symbolic links */ struct componentname *cnp; struct file *dfp; struct thread *td; struct proc *p; cap_rights_t rights; struct filecaps dirfd_caps; struct uio auio; int error, linklen, startdir_used; cnp = &ndp->ni_cnd; td = cnp->cn_thread; p = td->td_proc; ndp->ni_cnd.cn_cred = ndp->ni_cnd.cn_thread->td_ucred; KASSERT(cnp->cn_cred && p, ("namei: bad cred/proc")); KASSERT((cnp->cn_nameiop & (~OPMASK)) == 0, ("namei: nameiop contaminated with flags")); KASSERT((cnp->cn_flags & OPMASK) == 0, ("namei: flags contaminated with nameiops")); MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR || ndp->ni_startdir->v_type == VBAD); fdp = p->p_fd; TAILQ_INIT(&ndp->ni_cap_tracker); ndp->ni_lcf = 0; /* We will set this ourselves if we need it. */ cnp->cn_flags &= ~TRAILINGSLASH; /* * Get a buffer for the name to be translated, and copy the * name into the buffer. */ if ((cnp->cn_flags & HASBUF) == 0) cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK); if (ndp->ni_segflg == UIO_SYSSPACE) error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN, &ndp->ni_pathlen); else error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN, &ndp->ni_pathlen); /* * Don't allow empty pathnames. */ if (error == 0 && *cnp->cn_pnbuf == '\0') error = ENOENT; #ifdef CAPABILITY_MODE /* * In capability mode, lookups must be restricted to happen in * the subtree with the root specified by the file descriptor: * - The root must be real file descriptor, not the pseudo-descriptor * AT_FDCWD. * - The passed path must be relative and not absolute. * - If lookup_cap_dotdot is disabled, path must not contain the * '..' components. * - If lookup_cap_dotdot is enabled, we verify that all '..' * components lookups result in the directories which were * previously walked by us, which prevents an escape from * the relative root. */ if (error == 0 && IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) { ndp->ni_lcf |= NI_LCF_STRICTRELATIVE; if (ndp->ni_dirfd == AT_FDCWD) { #ifdef KTRACE if (KTRPOINT(td, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif error = ECAPMODE; } } #endif if (error != 0) { namei_cleanup_cnp(cnp); ndp->ni_vp = NULL; return (error); } ndp->ni_loopcnt = 0; #ifdef KTRACE if (KTRPOINT(td, KTR_NAMEI)) { KASSERT(cnp->cn_thread == curthread, ("namei not using curthread")); ktrnamei(cnp->cn_pnbuf); } #endif /* * Get starting point for the translation. */ FILEDESC_SLOCK(fdp); /* * The reference on ni_rootdir is acquired in the block below to avoid * back-to-back atomics for absolute lookups. */ ndp->ni_rootdir = fdp->fd_rdir; ndp->ni_topdir = fdp->fd_jdir; /* * If we are auditing the kernel pathname, save the user pathname. */ if (cnp->cn_flags & AUDITVNODE1) AUDIT_ARG_UPATH1(td, ndp->ni_dirfd, cnp->cn_pnbuf); if (cnp->cn_flags & AUDITVNODE2) AUDIT_ARG_UPATH2(td, ndp->ni_dirfd, cnp->cn_pnbuf); startdir_used = 0; dp = NULL; cnp->cn_nameptr = cnp->cn_pnbuf; if (cnp->cn_pnbuf[0] == '/') { ndp->ni_resflags |= NIRES_ABS; error = namei_handle_root(ndp, &dp, 2); if (error != 0) { /* * Simplify error handling, we should almost never be * here. */ vrefact(ndp->ni_rootdir); } } else { if (ndp->ni_startdir != NULL) { vrefact(ndp->ni_rootdir); dp = ndp->ni_startdir; startdir_used = 1; } else if (ndp->ni_dirfd == AT_FDCWD) { dp = fdp->fd_cdir; if (dp == ndp->ni_rootdir) { vrefactn(dp, 2); } else { vrefact(ndp->ni_rootdir); vrefact(dp); } } else { vrefact(ndp->ni_rootdir); rights = ndp->ni_rightsneeded; cap_rights_set(&rights, CAP_LOOKUP); if (cnp->cn_flags & AUDITVNODE1) AUDIT_ARG_ATFD1(ndp->ni_dirfd); if (cnp->cn_flags & AUDITVNODE2) AUDIT_ARG_ATFD2(ndp->ni_dirfd); /* * Effectively inlined fgetvp_rights, because we need to * inspect the file as well as grabbing the vnode. */ error = fget_cap_locked(fdp, ndp->ni_dirfd, &rights, &dfp, &ndp->ni_filecaps); if (error != 0) { /* * Preserve the error; it should either be EBADF * or capability-related, both of which can be * safely returned to the caller. */ } else if (dfp->f_ops == &badfileops) { error = EBADF; } else if (dfp->f_vnode == NULL) { error = ENOTDIR; } else { dp = dfp->f_vnode; vrefact(dp); if ((dfp->f_flag & FSEARCH) != 0) cnp->cn_flags |= NOEXECCHECK; } #ifdef CAPABILITIES /* * If file descriptor doesn't have all rights, * all lookups relative to it must also be * strictly relative. */ CAP_ALL(&rights); if (!cap_rights_contains(&ndp->ni_filecaps.fc_rights, &rights) || ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL || ndp->ni_filecaps.fc_nioctls != -1) { ndp->ni_lcf |= NI_LCF_STRICTRELATIVE; } #endif } if (error == 0 && dp->v_type != VDIR) error = ENOTDIR; } if (error == 0 && (cnp->cn_flags & BENEATH) != 0) { if (ndp->ni_dirfd == AT_FDCWD) { ndp->ni_beneath_latch = fdp->fd_cdir; vrefact(ndp->ni_beneath_latch); } else { rights = ndp->ni_rightsneeded; cap_rights_set(&rights, CAP_LOOKUP); error = fgetvp_rights(td, ndp->ni_dirfd, &rights, &dirfd_caps, &ndp->ni_beneath_latch); if (error == 0 && dp->v_type != VDIR) { vrele(ndp->ni_beneath_latch); error = ENOTDIR; } } if (error == 0) ndp->ni_lcf |= NI_LCF_LATCH; } FILEDESC_SUNLOCK(fdp); if (ndp->ni_startdir != NULL && !startdir_used) vrele(ndp->ni_startdir); if (error != 0) { if (dp != NULL) vrele(dp); goto out; } MPASS((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_LATCH)) != NI_LCF_BENEATH_ABS); if (((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 && lookup_cap_dotdot != 0) || ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0 && (cnp->cn_flags & BENEATH) != 0)) ndp->ni_lcf |= NI_LCF_CAP_DOTDOT; SDT_PROBE3(vfs, namei, lookup, entry, dp, cnp->cn_pnbuf, cnp->cn_flags); for (;;) { ndp->ni_startdir = dp; error = lookup(ndp); if (error != 0) goto out; /* * If not a symbolic link, we're done. */ if ((cnp->cn_flags & ISSYMLINK) == 0) { vrele(ndp->ni_rootdir); if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { namei_cleanup_cnp(cnp); } else cnp->cn_flags |= HASBUF; if ((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_BENEATH_LATCHED)) == NI_LCF_BENEATH_ABS) { NDFREE(ndp, 0); error = ENOTCAPABLE; } nameicap_cleanup(ndp, true); SDT_PROBE2(vfs, namei, lookup, return, error, (error == 0 ? ndp->ni_vp : NULL)); return (error); } if (ndp->ni_loopcnt++ >= MAXSYMLINKS) { error = ELOOP; break; } #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp); if (error != 0) break; } #endif if (ndp->ni_pathlen > 1) cp = uma_zalloc(namei_zone, M_WAITOK); else cp = cnp->cn_pnbuf; aiov.iov_base = cp; aiov.iov_len = MAXPATHLEN; auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_offset = 0; auio.uio_rw = UIO_READ; auio.uio_segflg = UIO_SYSSPACE; auio.uio_td = td; auio.uio_resid = MAXPATHLEN; error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred); if (error != 0) { if (ndp->ni_pathlen > 1) uma_zfree(namei_zone, cp); break; } linklen = MAXPATHLEN - auio.uio_resid; if (linklen == 0) { if (ndp->ni_pathlen > 1) uma_zfree(namei_zone, cp); error = ENOENT; break; } if (linklen + ndp->ni_pathlen > MAXPATHLEN) { if (ndp->ni_pathlen > 1) uma_zfree(namei_zone, cp); error = ENAMETOOLONG; break; } if (ndp->ni_pathlen > 1) { bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen); uma_zfree(namei_zone, cnp->cn_pnbuf); cnp->cn_pnbuf = cp; } else cnp->cn_pnbuf[linklen] = '\0'; ndp->ni_pathlen += linklen; vput(ndp->ni_vp); dp = ndp->ni_dvp; /* * Check if root directory should replace current directory. */ cnp->cn_nameptr = cnp->cn_pnbuf; if (*(cnp->cn_nameptr) == '/') { vrele(dp); error = namei_handle_root(ndp, &dp, 1); if (error != 0) goto out; } } vput(ndp->ni_vp); ndp->ni_vp = NULL; vrele(ndp->ni_dvp); out: vrele(ndp->ni_rootdir); MPASS(error != 0); namei_cleanup_cnp(cnp); nameicap_cleanup(ndp, true); SDT_PROBE2(vfs, namei, lookup, return, error, NULL); return (error); } static int compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags) { if (mp == NULL || ((lkflags & LK_SHARED) && (!(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED) || ((cnflags & ISDOTDOT) && (mp->mnt_kern_flag & MNTK_LOOKUP_EXCL_DOTDOT))))) { lkflags &= ~LK_SHARED; lkflags |= LK_EXCLUSIVE; } lkflags |= LK_NODDLKTREAT; return (lkflags); } static __inline int needs_exclusive_leaf(struct mount *mp, int flags) { /* * Intermediate nodes can use shared locks, we only need to * force an exclusive lock for leaf nodes. */ if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF)) return (0); /* Always use exclusive locks if LOCKSHARED isn't set. */ if (!(flags & LOCKSHARED)) return (1); /* * For lookups during open(), if the mount point supports * extended shared operations, then use a shared lock for the * leaf node, otherwise use an exclusive lock. */ if ((flags & ISOPEN) != 0) return (!MNT_EXTENDED_SHARED(mp)); /* * Lookup requests outside of open() that specify LOCKSHARED * only need a shared lock on the leaf vnode. */ return (0); } /* * Search a pathname. * This is a very central and rather complicated routine. * * The pathname is pointed to by ni_ptr and is of length ni_pathlen. * The starting directory is taken from ni_startdir. The pathname is * descended until done, or a symbolic link is encountered. The variable * ni_more is clear if the path is completed; it is set to one if a * symbolic link needing interpretation is encountered. * * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on * whether the name is to be looked up, created, renamed, or deleted. * When CREATE, RENAME, or DELETE is specified, information usable in * creating, renaming, or deleting a directory entry may be calculated. * If flag has LOCKPARENT or'ed into it, the parent directory is returned * locked. If flag has WANTPARENT or'ed into it, the parent directory is * returned unlocked. Otherwise the parent directory is not returned. If * the target of the pathname exists and LOCKLEAF is or'ed into the flag * the target is returned locked, otherwise it is returned unlocked. * When creating or renaming and LOCKPARENT is specified, the target may not * be ".". When deleting and LOCKPARENT is specified, the target may be ".". * * Overall outline of lookup: * * dirloop: * identify next component of name at ndp->ni_ptr * handle degenerate case where name is null string * if .. and crossing mount points and on mounted filesys, find parent * call VOP_LOOKUP routine for next component name * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set * component vnode returned in ni_vp (if it exists), locked. * if result vnode is mounted on and crossing mount points, * find mounted on vnode * if more components of name, do next level at dirloop * return the answer in ni_vp, locked if LOCKLEAF set * if LOCKPARENT set, return locked parent in ni_dvp * if WANTPARENT set, return unlocked parent in ni_dvp */ int lookup(struct nameidata *ndp) { char *cp; /* pointer into pathname argument */ char *prev_ni_next; /* saved ndp->ni_next */ struct vnode *dp = NULL; /* the directory we are searching */ struct vnode *tdp; /* saved dp */ struct mount *mp; /* mount table entry */ struct prison *pr; size_t prev_ni_pathlen; /* saved ndp->ni_pathlen */ int docache; /* == 0 do not cache last component */ int wantparent; /* 1 => wantparent or lockparent flag */ int rdonly; /* lookup read-only flag bit */ int error = 0; int dpunlocked = 0; /* dp has already been unlocked */ int relookup = 0; /* do not consume the path component */ struct componentname *cnp = &ndp->ni_cnd; int lkflags_save; int ni_dvp_unlocked; /* * Setup: break out flag bits into variables. */ ni_dvp_unlocked = 0; wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT); KASSERT(cnp->cn_nameiop == LOOKUP || wantparent, ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT.")); docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE; if (cnp->cn_nameiop == DELETE || (wantparent && cnp->cn_nameiop != CREATE && cnp->cn_nameiop != LOOKUP)) docache = 0; rdonly = cnp->cn_flags & RDONLY; cnp->cn_flags &= ~ISSYMLINK; ndp->ni_dvp = NULL; /* * We use shared locks until we hit the parent of the last cn then * we adjust based on the requesting flags. */ cnp->cn_lkflags = LK_SHARED; dp = ndp->ni_startdir; ndp->ni_startdir = NULLVP; vn_lock(dp, compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY, cnp->cn_flags)); dirloop: /* * Search a new directory. * * The last component of the filename is left accessible via * cnp->cn_nameptr for callers that need the name. Callers needing * the name set the SAVENAME flag. When done, they assume * responsibility for freeing the pathname buffer. */ for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++) continue; cnp->cn_namelen = cp - cnp->cn_nameptr; if (cnp->cn_namelen > NAME_MAX) { error = ENAMETOOLONG; goto bad; } #ifdef NAMEI_DIAGNOSTIC { char c = *cp; *cp = '\0'; printf("{%s}: ", cnp->cn_nameptr); *cp = c; } #endif prev_ni_pathlen = ndp->ni_pathlen; ndp->ni_pathlen -= cnp->cn_namelen; KASSERT(ndp->ni_pathlen <= PATH_MAX, ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen)); prev_ni_next = ndp->ni_next; ndp->ni_next = cp; /* * Replace multiple slashes by a single slash and trailing slashes * by a null. This must be done before VOP_LOOKUP() because some * fs's don't know about trailing slashes. Remember if there were * trailing slashes to handle symlinks, existing non-directories * and non-existing files that won't be directories specially later. */ while (*cp == '/' && (cp[1] == '/' || cp[1] == '\0')) { cp++; ndp->ni_pathlen--; if (*cp == '\0') { *ndp->ni_next = '\0'; cnp->cn_flags |= TRAILINGSLASH; } } ndp->ni_next = cp; cnp->cn_flags |= MAKEENTRY; if (*cp == '\0' && docache == 0) cnp->cn_flags &= ~MAKEENTRY; if (cnp->cn_namelen == 2 && cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.') cnp->cn_flags |= ISDOTDOT; else cnp->cn_flags &= ~ISDOTDOT; if (*ndp->ni_next == 0) cnp->cn_flags |= ISLASTCN; else cnp->cn_flags &= ~ISLASTCN; if ((cnp->cn_flags & ISLASTCN) != 0 && cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' && (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { error = EINVAL; goto bad; } nameicap_tracker_add(ndp, dp); /* * Check for degenerate name (e.g. / or "") * which is a way of talking about a directory, * e.g. like "/." or ".". */ if (cnp->cn_nameptr[0] == '\0') { if (dp->v_type != VDIR) { error = ENOTDIR; goto bad; } if (cnp->cn_nameiop != LOOKUP) { error = EISDIR; goto bad; } if (wantparent) { ndp->ni_dvp = dp; VREF(dp); } ndp->ni_vp = dp; if (cnp->cn_flags & AUDITVNODE1) AUDIT_ARG_VNODE1(dp); else if (cnp->cn_flags & AUDITVNODE2) AUDIT_ARG_VNODE2(dp); if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF))) VOP_UNLOCK(dp); /* XXX This should probably move to the top of function. */ if (cnp->cn_flags & SAVESTART) panic("lookup: SAVESTART"); goto success; } /* * Handle "..": five special cases. * 0. If doing a capability lookup and lookup_cap_dotdot is * disabled, return ENOTCAPABLE. * 1. Return an error if this is the last component of * the name and the operation is DELETE or RENAME. * 2. If at root directory (e.g. after chroot) * or at absolute root directory * then ignore it so can't get out. * 3. If this vnode is the root of a mounted * filesystem, then replace it with the * vnode which was mounted on so we take the * .. in the other filesystem. * 4. If the vnode is the top directory of * the jail or chroot, don't let them out. * 5. If doing a capability lookup and lookup_cap_dotdot is * enabled, return ENOTCAPABLE if the lookup would escape * from the initial file descriptor directory. Checks are * done by ensuring that namei() already traversed the * result of dotdot lookup. */ if (cnp->cn_flags & ISDOTDOT) { if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT)) == NI_LCF_STRICTRELATIVE) { #ifdef KTRACE if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif error = ENOTCAPABLE; goto bad; } if ((cnp->cn_flags & ISLASTCN) != 0 && (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { error = EINVAL; goto bad; } for (;;) { for (pr = cnp->cn_cred->cr_prison; pr != NULL; pr = pr->pr_parent) if (dp == pr->pr_root) break; if (dp == ndp->ni_rootdir || dp == ndp->ni_topdir || dp == rootvnode || pr != NULL || ((dp->v_vflag & VV_ROOT) != 0 && (cnp->cn_flags & NOCROSSMOUNT) != 0)) { ndp->ni_dvp = dp; ndp->ni_vp = dp; VREF(dp); goto nextname; } if ((dp->v_vflag & VV_ROOT) == 0) break; if (VN_IS_DOOMED(dp)) { /* forced unmount */ error = ENOENT; goto bad; } tdp = dp; dp = dp->v_mount->mnt_vnodecovered; VREF(dp); vput(tdp); vn_lock(dp, compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY, ISDOTDOT)); error = nameicap_check_dotdot(ndp, dp); if (error != 0) { #ifdef KTRACE if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif goto bad; } } } /* * We now have a segment name to search for, and a directory to search. */ unionlookup: #ifdef MAC - if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, - cnp); - if (error) - goto bad; - } + error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, cnp); + if (error) + goto bad; #endif ndp->ni_dvp = dp; ndp->ni_vp = NULL; ASSERT_VOP_LOCKED(dp, "lookup"); /* * If we have a shared lock we may need to upgrade the lock for the * last operation. */ if ((cnp->cn_flags & LOCKPARENT) && (cnp->cn_flags & ISLASTCN) && dp != vp_crossmp && VOP_ISLOCKED(dp) == LK_SHARED) vn_lock(dp, LK_UPGRADE|LK_RETRY); if (VN_IS_DOOMED(dp)) { error = ENOENT; goto bad; } /* * If we're looking up the last component and we need an exclusive * lock, adjust our lkflags. */ if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags)) cnp->cn_lkflags = LK_EXCLUSIVE; #ifdef NAMEI_DIAGNOSTIC vn_printf(dp, "lookup in "); #endif lkflags_save = cnp->cn_lkflags; cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags, cnp->cn_flags); error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp); cnp->cn_lkflags = lkflags_save; if (error != 0) { KASSERT(ndp->ni_vp == NULL, ("leaf should be empty")); #ifdef NAMEI_DIAGNOSTIC printf("not found\n"); #endif if ((error == ENOENT) && (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) && (dp->v_mount->mnt_flag & MNT_UNION)) { tdp = dp; dp = dp->v_mount->mnt_vnodecovered; VREF(dp); vput(tdp); vn_lock(dp, compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY, cnp->cn_flags)); nameicap_tracker_add(ndp, dp); goto unionlookup; } if (error == ERELOOKUP) { vref(dp); ndp->ni_vp = dp; error = 0; relookup = 1; goto good; } if (error != EJUSTRETURN) goto bad; /* * At this point, we know we're at the end of the * pathname. If creating / renaming, we can consider * allowing the file or directory to be created / renamed, * provided we're not on a read-only filesystem. */ if (rdonly) { error = EROFS; goto bad; } /* trailing slash only allowed for directories */ if ((cnp->cn_flags & TRAILINGSLASH) && !(cnp->cn_flags & WILLBEDIR)) { error = ENOENT; goto bad; } if ((cnp->cn_flags & LOCKPARENT) == 0) VOP_UNLOCK(dp); /* * We return with ni_vp NULL to indicate that the entry * doesn't currently exist, leaving a pointer to the * (possibly locked) directory vnode in ndp->ni_dvp. */ if (cnp->cn_flags & SAVESTART) { ndp->ni_startdir = ndp->ni_dvp; VREF(ndp->ni_startdir); } goto success; } good: #ifdef NAMEI_DIAGNOSTIC printf("found\n"); #endif dp = ndp->ni_vp; /* * Check to see if the vnode has been mounted on; * if so find the root of the mounted filesystem. */ while (dp->v_type == VDIR && (mp = dp->v_mountedhere) && (cnp->cn_flags & NOCROSSMOUNT) == 0) { if (vfs_busy(mp, 0)) continue; vput(dp); if (dp != ndp->ni_dvp) vput(ndp->ni_dvp); else vrele(ndp->ni_dvp); vrefact(vp_crossmp); ndp->ni_dvp = vp_crossmp; error = VFS_ROOT(mp, compute_cn_lkflags(mp, cnp->cn_lkflags, cnp->cn_flags), &tdp); vfs_unbusy(mp); if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT)) panic("vp_crossmp exclusively locked or reclaimed"); if (error) { dpunlocked = 1; goto bad2; } ndp->ni_vp = dp = tdp; } /* * Check for symbolic link */ if ((dp->v_type == VLNK) && ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) || *ndp->ni_next == '/')) { cnp->cn_flags |= ISSYMLINK; if (VN_IS_DOOMED(dp)) { /* * We can't know whether the directory was mounted with * NOSYMFOLLOW, so we can't follow safely. */ error = ENOENT; goto bad2; } if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) { error = EACCES; goto bad2; } /* * Symlink code always expects an unlocked dvp. */ if (ndp->ni_dvp != ndp->ni_vp) { VOP_UNLOCK(ndp->ni_dvp); ni_dvp_unlocked = 1; } goto success; } nextname: /* * Not a symbolic link that we will follow. Continue with the * next component if there is any; otherwise, we're done. */ KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/', ("lookup: invalid path state.")); if (relookup) { relookup = 0; ndp->ni_pathlen = prev_ni_pathlen; ndp->ni_next = prev_ni_next; if (ndp->ni_dvp != dp) vput(ndp->ni_dvp); else vrele(ndp->ni_dvp); goto dirloop; } if (cnp->cn_flags & ISDOTDOT) { error = nameicap_check_dotdot(ndp, ndp->ni_vp); if (error != 0) { #ifdef KTRACE if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif goto bad2; } } if (*ndp->ni_next == '/') { cnp->cn_nameptr = ndp->ni_next; while (*cnp->cn_nameptr == '/') { cnp->cn_nameptr++; ndp->ni_pathlen--; } if (ndp->ni_dvp != dp) vput(ndp->ni_dvp); else vrele(ndp->ni_dvp); goto dirloop; } /* * If we're processing a path with a trailing slash, * check that the end result is a directory. */ if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) { error = ENOTDIR; goto bad2; } /* * Disallow directory write attempts on read-only filesystems. */ if (rdonly && (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { error = EROFS; goto bad2; } if (cnp->cn_flags & SAVESTART) { ndp->ni_startdir = ndp->ni_dvp; VREF(ndp->ni_startdir); } if (!wantparent) { ni_dvp_unlocked = 2; if (ndp->ni_dvp != dp) vput(ndp->ni_dvp); else vrele(ndp->ni_dvp); } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) { VOP_UNLOCK(ndp->ni_dvp); ni_dvp_unlocked = 1; } if (cnp->cn_flags & AUDITVNODE1) AUDIT_ARG_VNODE1(dp); else if (cnp->cn_flags & AUDITVNODE2) AUDIT_ARG_VNODE2(dp); if ((cnp->cn_flags & LOCKLEAF) == 0) VOP_UNLOCK(dp); success: /* * Because of shared lookup we may have the vnode shared locked, but * the caller may want it to be exclusively locked. */ if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) && VOP_ISLOCKED(dp) != LK_EXCLUSIVE) { vn_lock(dp, LK_UPGRADE | LK_RETRY); if (VN_IS_DOOMED(dp)) { error = ENOENT; goto bad2; } } return (0); bad2: if (ni_dvp_unlocked != 2) { if (dp != ndp->ni_dvp && !ni_dvp_unlocked) vput(ndp->ni_dvp); else vrele(ndp->ni_dvp); } bad: if (!dpunlocked) vput(dp); ndp->ni_vp = NULL; return (error); } /* * relookup - lookup a path name component * Used by lookup to re-acquire things. */ int relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp) { struct vnode *dp = NULL; /* the directory we are searching */ int wantparent; /* 1 => wantparent or lockparent flag */ int rdonly; /* lookup read-only flag bit */ int error = 0; KASSERT(cnp->cn_flags & ISLASTCN, ("relookup: Not given last component.")); /* * Setup: break out flag bits into variables. */ wantparent = cnp->cn_flags & (LOCKPARENT|WANTPARENT); KASSERT(wantparent, ("relookup: parent not wanted.")); rdonly = cnp->cn_flags & RDONLY; cnp->cn_flags &= ~ISSYMLINK; dp = dvp; cnp->cn_lkflags = LK_EXCLUSIVE; vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); /* * Search a new directory. * * The last component of the filename is left accessible via * cnp->cn_nameptr for callers that need the name. Callers needing * the name set the SAVENAME flag. When done, they assume * responsibility for freeing the pathname buffer. */ #ifdef NAMEI_DIAGNOSTIC printf("{%s}: ", cnp->cn_nameptr); #endif /* * Check for "" which represents the root directory after slash * removal. */ if (cnp->cn_nameptr[0] == '\0') { /* * Support only LOOKUP for "/" because lookup() * can't succeed for CREATE, DELETE and RENAME. */ KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP")); KASSERT(dp->v_type == VDIR, ("dp is not a directory")); if (!(cnp->cn_flags & LOCKLEAF)) VOP_UNLOCK(dp); *vpp = dp; /* XXX This should probably move to the top of function. */ if (cnp->cn_flags & SAVESTART) panic("lookup: SAVESTART"); return (0); } if (cnp->cn_flags & ISDOTDOT) panic ("relookup: lookup on dot-dot"); /* * We now have a segment name to search for, and a directory to search. */ #ifdef NAMEI_DIAGNOSTIC vn_printf(dp, "search in "); #endif if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) { KASSERT(*vpp == NULL, ("leaf should be empty")); if (error != EJUSTRETURN) goto bad; /* * If creating and at end of pathname, then can consider * allowing file to be created. */ if (rdonly) { error = EROFS; goto bad; } /* ASSERT(dvp == ndp->ni_startdir) */ if (cnp->cn_flags & SAVESTART) VREF(dvp); if ((cnp->cn_flags & LOCKPARENT) == 0) VOP_UNLOCK(dp); /* * We return with ni_vp NULL to indicate that the entry * doesn't currently exist, leaving a pointer to the * (possibly locked) directory vnode in ndp->ni_dvp. */ return (0); } dp = *vpp; /* * Disallow directory write attempts on read-only filesystems. */ if (rdonly && (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { if (dvp == dp) vrele(dvp); else vput(dvp); error = EROFS; goto bad; } /* * Set the parent lock/ref state to the requested state. */ if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp) { if (wantparent) VOP_UNLOCK(dvp); else vput(dvp); } else if (!wantparent) vrele(dvp); /* * Check for symbolic link */ KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW), ("relookup: symlink found.\n")); /* ASSERT(dvp == ndp->ni_startdir) */ if (cnp->cn_flags & SAVESTART) VREF(dvp); if ((cnp->cn_flags & LOCKLEAF) == 0) VOP_UNLOCK(dp); return (0); bad: vput(dp); *vpp = NULL; return (error); } void NDINIT_ALL(struct nameidata *ndp, u_long op, u_long flags, enum uio_seg segflg, const char *namep, int dirfd, struct vnode *startdir, cap_rights_t *rightsp, struct thread *td) { ndp->ni_cnd.cn_nameiop = op; ndp->ni_cnd.cn_flags = flags; ndp->ni_segflg = segflg; ndp->ni_dirp = namep; ndp->ni_dirfd = dirfd; ndp->ni_startdir = startdir; ndp->ni_resflags = 0; filecaps_init(&ndp->ni_filecaps); ndp->ni_cnd.cn_thread = td; if (rightsp != NULL) ndp->ni_rightsneeded = *rightsp; else cap_rights_init(&ndp->ni_rightsneeded); } /* * Free data allocated by namei(); see namei(9) for details. */ void NDFREE(struct nameidata *ndp, const u_int flags) { int unlock_dvp; int unlock_vp; unlock_dvp = 0; unlock_vp = 0; if (!(flags & NDF_NO_FREE_PNBUF) && (ndp->ni_cnd.cn_flags & HASBUF)) { uma_zfree(namei_zone, ndp->ni_cnd.cn_pnbuf); ndp->ni_cnd.cn_flags &= ~HASBUF; } if (!(flags & NDF_NO_VP_UNLOCK) && (ndp->ni_cnd.cn_flags & LOCKLEAF) && ndp->ni_vp) unlock_vp = 1; if (!(flags & NDF_NO_DVP_UNLOCK) && (ndp->ni_cnd.cn_flags & LOCKPARENT) && ndp->ni_dvp != ndp->ni_vp) unlock_dvp = 1; if (!(flags & NDF_NO_VP_RELE) && ndp->ni_vp) { if (unlock_vp) { vput(ndp->ni_vp); unlock_vp = 0; } else vrele(ndp->ni_vp); ndp->ni_vp = NULL; } if (unlock_vp) VOP_UNLOCK(ndp->ni_vp); if (!(flags & NDF_NO_DVP_RELE) && (ndp->ni_cnd.cn_flags & (LOCKPARENT|WANTPARENT))) { if (unlock_dvp) { vput(ndp->ni_dvp); unlock_dvp = 0; } else vrele(ndp->ni_dvp); ndp->ni_dvp = NULL; } if (unlock_dvp) VOP_UNLOCK(ndp->ni_dvp); if (!(flags & NDF_NO_STARTDIR_RELE) && (ndp->ni_cnd.cn_flags & SAVESTART)) { vrele(ndp->ni_startdir); ndp->ni_startdir = NULL; } } /* * Determine if there is a suitable alternate filename under the specified * prefix for the specified path. If the create flag is set, then the * alternate prefix will be used so long as the parent directory exists. * This is used by the various compatibility ABIs so that Linux binaries prefer * files under /compat/linux for example. The chosen path (whether under * the prefix or under /) is returned in a kernel malloc'd buffer pointed * to by pathbuf. The caller is responsible for free'ing the buffer from * the M_TEMP bucket if one is returned. */ int kern_alternate_path(struct thread *td, const char *prefix, const char *path, enum uio_seg pathseg, char **pathbuf, int create, int dirfd) { struct nameidata nd, ndroot; char *ptr, *buf, *cp; size_t len, sz; int error; buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK); *pathbuf = buf; /* Copy the prefix into the new pathname as a starting point. */ len = strlcpy(buf, prefix, MAXPATHLEN); if (len >= MAXPATHLEN) { *pathbuf = NULL; free(buf, M_TEMP); return (EINVAL); } sz = MAXPATHLEN - len; ptr = buf + len; /* Append the filename to the prefix. */ if (pathseg == UIO_SYSSPACE) error = copystr(path, ptr, sz, &len); else error = copyinstr(path, ptr, sz, &len); if (error) { *pathbuf = NULL; free(buf, M_TEMP); return (error); } /* Only use a prefix with absolute pathnames. */ if (*ptr != '/') { error = EINVAL; goto keeporig; } if (dirfd != AT_FDCWD) { /* * We want the original because the "prefix" is * included in the already opened dirfd. */ bcopy(ptr, buf, len); return (0); } /* * We know that there is a / somewhere in this pathname. * Search backwards for it, to find the file's parent dir * to see if it exists in the alternate tree. If it does, * and we want to create a file (cflag is set). We don't * need to worry about the root comparison in this case. */ if (create) { for (cp = &ptr[len] - 1; *cp != '/'; cp--); *cp = '\0'; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf, td); error = namei(&nd); *cp = '/'; if (error != 0) goto keeporig; } else { NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf, td); error = namei(&nd); if (error != 0) goto keeporig; /* * We now compare the vnode of the prefix to the one * vnode asked. If they resolve to be the same, then we * ignore the match so that the real root gets used. * This avoids the problem of traversing "../.." to find the * root directory and never finding it, because "/" resolves * to the emulation root directory. This is expensive :-( */ NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix, td); /* We shouldn't ever get an error from this namei(). */ error = namei(&ndroot); if (error == 0) { if (nd.ni_vp == ndroot.ni_vp) error = ENOENT; NDFREE(&ndroot, NDF_ONLY_PNBUF); vrele(ndroot.ni_vp); } } NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); keeporig: /* If there was an error, use the original path name. */ if (error) bcopy(ptr, buf, len); return (error); } Index: head/sys/security/mac/mac_framework.c =================================================================== --- head/sys/security/mac/mac_framework.c (revision 357888) +++ head/sys/security/mac/mac_framework.c (revision 357889) @@ -1,697 +1,715 @@ /*- * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008-2009 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * * This software was developed at the University of Cambridge Computer * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /*- * Framework for extensible kernel access control. This file contains core * kernel infrastructure for the TrustedBSD MAC Framework, including policy * registration, versioning, locking, error composition operator, and system * calls. * * The MAC Framework implements three programming interfaces: * * - The kernel MAC interface, defined in mac_framework.h, and invoked * throughout the kernel to request security decisions, notify of security * related events, etc. * * - The MAC policy module interface, defined in mac_policy.h, which is * implemented by MAC policy modules and invoked by the MAC Framework to * forward kernel security requests and notifications to policy modules. * * - The user MAC API, defined in mac.h, which allows user programs to query * and set label state on objects. * * The majority of the MAC Framework implementation may be found in * src/sys/security/mac. Sample policy modules may be found in * src/sys/security/mac_*. */ #include "opt_mac.h" #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * DTrace SDT providers for MAC. */ SDT_PROVIDER_DEFINE(mac); SDT_PROVIDER_DEFINE(mac_framework); SDT_PROBE_DEFINE2(mac, , policy, modevent, "int", "struct mac_policy_conf *"); SDT_PROBE_DEFINE1(mac, , policy, register, "struct mac_policy_conf *"); SDT_PROBE_DEFINE1(mac, , policy, unregister, "struct mac_policy_conf *"); /* * Root sysctl node for all MAC and MAC policy controls. */ SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); /* * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x). * This permits modules to refuse to be loaded if the necessary support isn't * present, even if it's pre-boot. */ MODULE_VERSION(kernel_mac_support, MAC_VERSION); static unsigned int mac_version = MAC_VERSION; SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, ""); /* * Flags for inlined checks. */ #define FPFLAG(f) \ bool __read_frequently mac_##f##_fp_flag FPFLAG(priv_check); FPFLAG(priv_grant); +FPFLAG(vnode_check_lookup); +FPFLAG(vnode_check_open); +FPFLAG(vnode_check_stat); +FPFLAG(vnode_check_read); +FPFLAG(vnode_check_write); +FPFLAG(vnode_check_mmap); #undef FPFLAG /* * Labels consist of a indexed set of "slots", which are allocated policies * as required. The MAC Framework maintains a bitmask of slots allocated so * far to prevent reuse. Slots cannot be reused, as the MAC Framework * guarantees that newly allocated slots in labels will be NULL unless * otherwise initialized, and because we do not have a mechanism to garbage * collect slots on policy unload. As labeled policies tend to be statically * loaded during boot, and not frequently unloaded and reloaded, this is not * generally an issue. */ #if MAC_MAX_SLOTS > 32 #error "MAC_MAX_SLOTS too large" #endif static unsigned int mac_max_slots = MAC_MAX_SLOTS; static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1; SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots, 0, ""); /* * Has the kernel started generating labeled objects yet? All read/write * access to this variable is serialized during the boot process. Following * the end of serialization, we don't update this flag; no locking. */ static int mac_late = 0; /* * Each policy declares a mask of object types requiring labels to be * allocated for them. For convenience, we combine and cache the bitwise or * of the per-policy object flags to track whether we will allocate a label * for an object type at run-time. */ uint64_t mac_labeled; SYSCTL_UQUAD(_security_mac, OID_AUTO, labeled, CTLFLAG_RD, &mac_labeled, 0, "Mask of object types being labeled"); MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); /* * MAC policy modules are placed in one of two lists: mac_static_policy_list, * for policies that are loaded early and cannot be unloaded, and * mac_policy_list, which holds policies either loaded later in the boot * cycle or that may be unloaded. The static policy list does not require * locks to iterate over, but the dynamic list requires synchronization. * Support for dynamic policy loading can be compiled out using the * MAC_STATIC kernel option. * * The dynamic policy list is protected by two locks: modifying the list * requires both locks to be held exclusively. One of the locks, * mac_policy_rm, is acquired over policy entry points that will never sleep; * the other, mac_policy_sx, is acquire over policy entry points that may * sleep. The former category will be used when kernel locks may be held * over calls to the MAC Framework, during network processing in ithreads, * etc. The latter will tend to involve potentially blocking memory * allocations, extended attribute I/O, etc. */ #ifndef MAC_STATIC static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ static struct sx mac_policy_sx; /* Sleeping entry points. */ static struct rmslock mac_policy_rms; #endif struct mac_policy_list_head mac_policy_list; struct mac_policy_list_head mac_static_policy_list; u_int mac_policy_count; /* Registered policy count. */ static void mac_policy_xlock(void); static void mac_policy_xlock_assert(void); static void mac_policy_xunlock(void); void mac_policy_slock_nosleep(struct rm_priotracker *tracker) { #ifndef MAC_STATIC if (!mac_late) return; rm_rlock(&mac_policy_rm, tracker); #endif } void mac_policy_slock_sleep(void) { WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_policy_slock_sleep"); #ifndef MAC_STATIC if (!mac_late) return; rms_rlock(&mac_policy_rms); #endif } void mac_policy_sunlock_nosleep(struct rm_priotracker *tracker) { #ifndef MAC_STATIC if (!mac_late) return; rm_runlock(&mac_policy_rm, tracker); #endif } void mac_policy_sunlock_sleep(void) { #ifndef MAC_STATIC if (!mac_late) return; rms_runlock(&mac_policy_rms); #endif } static void mac_policy_xlock(void) { WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_policy_xlock()"); #ifndef MAC_STATIC if (!mac_late) return; sx_xlock(&mac_policy_sx); rms_wlock(&mac_policy_rms); rm_wlock(&mac_policy_rm); #endif } static void mac_policy_xunlock(void) { #ifndef MAC_STATIC if (!mac_late) return; rm_wunlock(&mac_policy_rm); rms_wunlock(&mac_policy_rms); sx_xunlock(&mac_policy_sx); #endif } static void mac_policy_xlock_assert(void) { #ifndef MAC_STATIC if (!mac_late) return; /* XXXRW: rm_assert(&mac_policy_rm, RA_WLOCKED); */ sx_assert(&mac_policy_sx, SA_XLOCKED); #endif } /* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void mac_init(void) { LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); mac_labelzone_init(); #ifndef MAC_STATIC rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | RM_RECURSE); sx_init_flags(&mac_policy_sx, "mac_policy_sx", SX_NOWITNESS); rms_init(&mac_policy_rms, "mac_policy_rms"); #endif } /* * For the purposes of modules that want to know if they were loaded "early", * set the mac_late flag once we've processed modules either linked into the * kernel, or loaded before the kernel startup. */ static void mac_late_init(void) { mac_late = 1; } /* * Given a policy, derive from its set of non-NULL label init methods what * object types the policy is interested in. */ static uint64_t mac_policy_getlabeled(struct mac_policy_conf *mpc) { uint64_t labeled; #define MPC_FLAG(method, flag) \ if (mpc->mpc_ops->mpo_ ## method != NULL) \ labeled |= (flag); \ labeled = 0; MPC_FLAG(cred_init_label, MPC_OBJECT_CRED); MPC_FLAG(proc_init_label, MPC_OBJECT_PROC); MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE); MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB); MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET); MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS); MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF); MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ); MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET); MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC); MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE); MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT); MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM); MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM); MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG); MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ); MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM); MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM); MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE); MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q); #undef MPC_FLAG return (labeled); } /* * When policies are loaded or unloaded, walk the list of registered policies * and built mac_labeled, a bitmask representing the union of all objects * requiring labels across all policies. */ static void mac_policy_update(void) { struct mac_policy_conf *mpc; mac_policy_xlock_assert(); mac_labeled = 0; mac_policy_count = 0; LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { mac_labeled |= mac_policy_getlabeled(mpc); mac_policy_count++; } LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { mac_labeled |= mac_policy_getlabeled(mpc); mac_policy_count++; } } /* * There are frequently used code paths which check for rarely installed * policies. Gross hack below enables doing it in a cheap manner. */ #define FPO(f) (offsetof(struct mac_policy_ops, mpo_##f) / sizeof(uintptr_t)) struct mac_policy_fastpath_elem { int count; bool *flag; size_t offset; }; struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { { .offset = FPO(priv_check), .flag = &mac_priv_check_fp_flag }, { .offset = FPO(priv_grant), .flag = &mac_priv_grant_fp_flag }, + { .offset = FPO(vnode_check_lookup), + .flag = &mac_vnode_check_lookup_fp_flag }, + { .offset = FPO(vnode_check_open), + .flag = &mac_vnode_check_open_fp_flag }, + { .offset = FPO(vnode_check_stat), + .flag = &mac_vnode_check_stat_fp_flag }, + { .offset = FPO(vnode_check_read), + .flag = &mac_vnode_check_read_fp_flag }, + { .offset = FPO(vnode_check_write), + .flag = &mac_vnode_check_write_fp_flag }, + { .offset = FPO(vnode_check_mmap), + .flag = &mac_vnode_check_mmap_fp_flag }, }; static void mac_policy_fastpath_enable(struct mac_policy_fastpath_elem *mpfe) { MPASS(mpfe->count >= 0); mpfe->count++; if (mpfe->count == 1) { MPASS(*mpfe->flag == false); *mpfe->flag = true; } } static void mac_policy_fastpath_disable(struct mac_policy_fastpath_elem *mpfe) { MPASS(mpfe->count >= 1); mpfe->count--; if (mpfe->count == 0) { MPASS(*mpfe->flag == true); *mpfe->flag = false; } } static void mac_policy_fastpath_register(struct mac_policy_conf *mpc) { struct mac_policy_fastpath_elem *mpfe; uintptr_t **ops; int i; mac_policy_xlock_assert(); ops = (uintptr_t **)mpc->mpc_ops; for (i = 0; i < nitems(mac_policy_fastpath_array); i++) { mpfe = &mac_policy_fastpath_array[i]; if (ops[mpfe->offset] != NULL) mac_policy_fastpath_enable(mpfe); } } static void mac_policy_fastpath_unregister(struct mac_policy_conf *mpc) { struct mac_policy_fastpath_elem *mpfe; uintptr_t **ops; int i; mac_policy_xlock_assert(); ops = (uintptr_t **)mpc->mpc_ops; for (i = 0; i < nitems(mac_policy_fastpath_array); i++) { mpfe = &mac_policy_fastpath_array[i]; if (ops[mpfe->offset] != NULL) mac_policy_fastpath_disable(mpfe); } } #undef FPO static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; int error, slot, static_entry; error = 0; /* * We don't technically need exclusive access while !mac_late, but * hold it for assertion consistency. */ mac_policy_xlock(); /* * If the module can potentially be unloaded, or we're loading late, * we have to stick it in the non-static list and pay an extra * performance overhead. Otherwise, we can pay a light locking cost * and stick it in the static list. */ static_entry = (!mac_late && !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK)); if (static_entry) { LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { error = EEXIST; goto out; } } } else { LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { error = EEXIST; goto out; } } } if (mpc->mpc_field_off != NULL) { slot = ffs(mac_slot_offsets_free); if (slot == 0) { error = ENOMEM; goto out; } slot--; mac_slot_offsets_free &= ~(1 << slot); *mpc->mpc_field_off = slot; } mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; /* * If we're loading a MAC module after the framework has initialized, * it has to go into the dynamic list. If we're loading it before * we've finished initializing, it can go into the static list with * weaker locker requirements. */ if (static_entry) LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list); else LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* * Per-policy initialization. Currently, this takes place under the * exclusive lock, so policies must not sleep in their init method. * In the future, we may want to separate "init" from "start", with * "init" occurring without the lock held. Likewise, on tear-down, * breaking out "stop" from "destroy". */ if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); mac_policy_fastpath_register(mpc); mac_policy_update(); SDT_PROBE1(mac, , policy, register, mpc); printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); out: mac_policy_xunlock(); return (error); } static int mac_policy_unregister(struct mac_policy_conf *mpc) { /* * If we fail the load, we may get a request to unload. Check to see * if we did the run-time registration, and if not, silently succeed. */ mac_policy_xlock(); if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) { mac_policy_xunlock(); return (0); } #if 0 /* * Don't allow unloading modules with private data. */ if (mpc->mpc_field_off != NULL) { mac_policy_xunlock(); return (EBUSY); } #endif /* * Only allow the unload to proceed if the module is unloadable by * its own definition. */ if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) { mac_policy_xunlock(); return (EBUSY); } mac_policy_fastpath_unregister(mpc); if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); LIST_REMOVE(mpc, mpc_list); mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; mac_policy_update(); mac_policy_xunlock(); SDT_PROBE1(mac, , policy, unregister, mpc); printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); return (0); } /* * Allow MAC policy modules to register during boot, etc. */ int mac_policy_modevent(module_t mod, int type, void *data) { struct mac_policy_conf *mpc; int error; error = 0; mpc = (struct mac_policy_conf *) data; #ifdef MAC_STATIC if (mac_late) { printf("mac_policy_modevent: MAC_STATIC and late\n"); return (EBUSY); } #endif SDT_PROBE2(mac, , policy, modevent, type, mpc); switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && mac_late) { printf("mac_policy_modevent: can't load %s policy " "after booting\n", mpc->mpc_name); error = EBUSY; break; } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) != 0) error = mac_policy_unregister(mpc); else error = 0; break; default: error = EOPNOTSUPP; break; } return (error); } /* * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ int mac_error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ if (error1 == EDEADLK || error2 == EDEADLK) return (EDEADLK); /* Invalid arguments should be reported where possible. */ if (error1 == EINVAL || error2 == EINVAL) return (EINVAL); /* Precedence goes to "visibility", with both process and file. */ if (error1 == ESRCH || error2 == ESRCH) return (ESRCH); if (error1 == ENOENT || error2 == ENOENT) return (ENOENT); /* Precedence goes to DAC/MAC protections. */ if (error1 == EACCES || error2 == EACCES) return (EACCES); /* Precedence goes to privilege. */ if (error1 == EPERM || error2 == EPERM) return (EPERM); /* Precedence goes to error over success; otherwise, arbitrary. */ if (error1 != 0) return (error1); return (error2); } int mac_check_structmac_consistent(struct mac *mac) { /* Require that labels have a non-zero length. */ if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || mac->m_buflen <= sizeof("")) return (EINVAL); return (0); } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); Index: head/sys/security/mac/mac_framework.h =================================================================== --- head/sys/security/mac/mac_framework.h (revision 357888) +++ head/sys/security/mac/mac_framework.h (revision 357889) @@ -1,472 +1,552 @@ /*- * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * * This software was developed at the University of Cambridge Computer * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ /* * Kernel interface for Mandatory Access Control -- how kernel services * interact with the TrustedBSD MAC Framework. */ #ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_ #define _SECURITY_MAC_MAC_FRAMEWORK_H_ #ifndef _KERNEL #error "no user-serviceable parts inside" #endif struct auditinfo; struct auditinfo_addr; struct bpf_d; struct cdev; struct componentname; struct devfs_dirent; struct ifnet; struct ifreq; struct image_params; struct inpcb; struct ip6q; struct ipq; struct ksem; struct label; struct m_tag; struct mac; struct mbuf; struct mount; struct msg; struct msqid_kernel; struct proc; struct semid_kernel; struct shmfd; struct shmid_kernel; struct sockaddr; struct socket; struct sysctl_oid; struct sysctl_req; struct pipepair; struct thread; struct timespec; struct ucred; struct vattr; struct vnode; struct vop_setlabel_args; #include /* XXX acl_type_t */ #include /* accmode_t */ /* * Entry points to the TrustedBSD MAC Framework from the remainder of the * kernel: entry points are named based on a principle object type and an * action relating to it. They are sorted alphabetically first by object * type and then action. In some situations, the principle object type is * obvious, and in other cases, less so as multiple objects may be inolved * in the operation. */ int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); void mac_bpfdesc_destroy(struct bpf_d *); void mac_bpfdesc_init(struct bpf_d *); void mac_cred_associate_nfsd(struct ucred *cred); int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); int mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia); int mac_cred_check_setauid(struct ucred *cred, uid_t auid); int mac_cred_check_setegid(struct ucred *cred, gid_t egid); int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); int mac_cred_check_setgid(struct ucred *cred, gid_t gid); int mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset); int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); int mac_cred_check_setuid(struct ucred *cred, uid_t uid); int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); void mac_cred_create_init(struct ucred *cred); void mac_cred_create_swapper(struct ucred *cred); void mac_cred_destroy(struct ucred *); void mac_cred_init(struct ucred *); void mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de); void mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de); void mac_devfs_destroy(struct devfs_dirent *); void mac_devfs_init(struct devfs_dirent *); void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); void mac_ifnet_create(struct ifnet *ifp); void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); void mac_ifnet_destroy(struct ifnet *); void mac_ifnet_init(struct ifnet *); int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); void mac_inpcb_create(struct socket *so, struct inpcb *inp); void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_inpcb_destroy(struct inpcb *); int mac_inpcb_init(struct inpcb *, int); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); void mac_ip6q_create(struct mbuf *m, struct ip6q *q6); void mac_ip6q_destroy(struct ip6q *q6); int mac_ip6q_init(struct ip6q *q6, int); int mac_ip6q_match(struct mbuf *m, struct ip6q *q6); void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m); void mac_ip6q_update(struct mbuf *m, struct ip6q *q6); void mac_ipq_create(struct mbuf *m, struct ipq *q); void mac_ipq_destroy(struct ipq *q); int mac_ipq_init(struct ipq *q, int); int mac_ipq_match(struct mbuf *m, struct ipq *q); void mac_ipq_reassemble(struct ipq *q, struct mbuf *m); void mac_ipq_update(struct mbuf *m, struct ipq *q); int mac_kenv_check_dump(struct ucred *cred); int mac_kenv_check_get(struct ucred *cred, char *name); int mac_kenv_check_set(struct ucred *cred, char *name, char *value); int mac_kenv_check_unset(struct ucred *cred, char *name); int mac_kld_check_load(struct ucred *cred, struct vnode *vp); int mac_kld_check_stat(struct ucred *cred); void mac_mbuf_copy(struct mbuf *, struct mbuf *); int mac_mbuf_init(struct mbuf *, int); void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); void mac_mbuf_tag_destroy(struct m_tag *); int mac_mbuf_tag_init(struct m_tag *, int); int mac_mount_check_stat(struct ucred *cred, struct mount *mp); void mac_mount_create(struct ucred *cred, struct mount *mp); void mac_mount_destroy(struct mount *); void mac_mount_init(struct mount *); void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend); void mac_netinet_firewall_send(struct mbuf *m); void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend); void mac_netinet_icmp_replyinplace(struct mbuf *m); void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); void mac_netinet_tcp_reply(struct mbuf *m); void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); void mac_pipe_create(struct ucred *cred, struct pipepair *pp); void mac_pipe_destroy(struct pipepair *); void mac_pipe_init(struct pipepair *); int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, struct label *label); int mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); int mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, mode_t mode); int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, uid_t uid, gid_t gid); int mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); int mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); void mac_posixsem_create(struct ucred *cred, struct ksem *ks); void mac_posixsem_destroy(struct ksem *); void mac_posixsem_init(struct ksem *); int mac_posixshm_check_create(struct ucred *cred, const char *path); int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, int flags); int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, accmode_t accmode); int mac_posixshm_check_read(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd); int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, mode_t mode); int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, uid_t uid, gid_t gid); int mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd); int mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd); int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd); int mac_posixshm_check_write(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd); void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd); void mac_posixshm_destroy(struct shmfd *); void mac_posixshm_init(struct shmfd *); int mac_priv_check_impl(struct ucred *cred, int priv); extern bool mac_priv_check_fp_flag; static inline int mac_priv_check(struct ucred *cred, int priv) { if (__predict_false(mac_priv_check_fp_flag)) return (mac_priv_check_impl(cred, priv)); return (0); } int mac_priv_grant_impl(struct ucred *cred, int priv); extern bool mac_priv_grant_fp_flag; static inline int mac_priv_grant(struct ucred *cred, int priv) { if (__predict_false(mac_priv_grant_fp_flag)) return (mac_priv_grant_impl(cred, priv)); return (EPERM); } int mac_proc_check_debug(struct ucred *cred, struct proc *p); int mac_proc_check_sched(struct ucred *cred, struct proc *p); int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *p); void mac_proc_destroy(struct proc *); void mac_proc_init(struct proc *); void mac_proc_vm_revoke(struct thread *td); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_interpreter_enter(struct vnode *interpvp, struct label **interplabel); void mac_execve_interpreter_exit(struct label *interpvplabel); int mac_socket_check_accept(struct ucred *cred, struct socket *so); int mac_socket_check_bind(struct ucred *cred, struct socket *so, struct sockaddr *sa); int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa); int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto); int mac_socket_check_deliver(struct socket *so, struct mbuf *m); int mac_socket_check_listen(struct ucred *cred, struct socket *so); int mac_socket_check_poll(struct ucred *cred, struct socket *so); int mac_socket_check_receive(struct ucred *cred, struct socket *so); int mac_socket_check_send(struct ucred *cred, struct socket *so); int mac_socket_check_stat(struct ucred *cred, struct socket *so); int mac_socket_check_visible(struct ucred *cred, struct socket *so); void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); void mac_socket_create(struct ucred *cred, struct socket *so); void mac_socket_destroy(struct socket *); int mac_socket_init(struct socket *, int); void mac_socket_newconn(struct socket *oldso, struct socket *newso); int mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); void mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso); void mac_syncache_create(struct label *l, struct inpcb *inp); void mac_syncache_create_mbuf(struct label *l, struct mbuf *m); void mac_syncache_destroy(struct label **l); int mac_syncache_init(struct label **l); int mac_system_check_acct(struct ucred *cred, struct vnode *vp); int mac_system_check_audit(struct ucred *cred, void *record, int length); int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); int mac_system_check_auditon(struct ucred *cred, int cmd); int mac_system_check_reboot(struct ucred *cred, int howto); int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); void mac_sysvmsg_cleanup(struct msg *msgptr); void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct msg *msgptr); void mac_sysvmsg_destroy(struct msg *); void mac_sysvmsg_init(struct msg *); int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd); int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr); int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr); int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr); void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); void mac_sysvmsq_destroy(struct msqid_kernel *); void mac_sysvmsq_init(struct msqid_kernel *); int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd); int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr); int mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype); void mac_sysvsem_cleanup(struct semid_kernel *semakptr); void mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr); void mac_sysvsem_destroy(struct semid_kernel *); void mac_sysvsem_init(struct semid_kernel *); int mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); int mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd); int mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr); int mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); void mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr); void mac_sysvshm_destroy(struct shmid_kernel *); void mac_sysvshm_init(struct shmid_kernel *); void mac_thread_userret(struct thread *td); +#ifdef DEBUG_VFS_LOCKS +void mac_vnode_assert_locked(struct vnode *vp, const char *func); +#else +#define mac_vnode_assert_locked(vp, func) do { } while (0) +#endif + int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode); int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp); int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); -int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, + +int mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, +extern bool mac_vnode_check_lookup_fp_flag; +static inline int +mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, + struct componentname *cnp) +{ + + mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup"); + if (__predict_false(mac_vnode_check_lookup_fp_flag)) + return (mac_vnode_check_lookup_impl(cred, dvp, cnp)); + return (0); +} + +int mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, int flags); +extern bool mac_vnode_check_mmap_fp_flag; +static inline int +mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, + int flags) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_mmap"); + if (__predict_false(mac_vnode_check_mmap_fp_flag)) + return (mac_vnode_check_mmap_impl(cred, vp, prot, flags)); + return (0); +} + +int mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, + accmode_t accmode); +extern bool mac_vnode_check_open_fp_flag; +static inline int +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, + accmode_t accmode) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_open"); + if (__predict_false(mac_vnode_check_open_fp_flag)) + return (mac_vnode_check_open_impl(cred, vp, accmode)); + return (0); +} + int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); -int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, - accmode_t accmode); int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_vnode_check_read(struct ucred *active_cred, - struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags); int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_vnode_check_stat(struct ucred *active_cred, + +int mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_stat_fp_flag; +static inline int +mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_stat"); + if (__predict_false(mac_vnode_check_stat_fp_flag)) + return (mac_vnode_check_stat_impl(active_cred, file_cred, vp)); + return (0); +} + +int mac_vnode_check_read_impl(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_read_fp_flag; +static inline int +mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_read"); + if (__predict_false(mac_vnode_check_read_fp_flag)) + return (mac_vnode_check_read_impl(active_cred, file_cred, vp)); + return (0); +} + +int mac_vnode_check_write_impl(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_write_fp_flag; +static inline int +mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_write"); + if (__predict_false(mac_vnode_check_write_fp_flag)) + return (mac_vnode_check_write_impl(active_cred, file_cred, vp)); + return (0); +} + int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_vnode_check_write(struct ucred *active_cred, - struct ucred *file_cred, struct vnode *vp); void mac_vnode_copy_label(struct label *, struct label *); void mac_vnode_init(struct vnode *); int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); void mac_vnode_destroy(struct vnode *); void mac_vnode_execve_transition(struct ucred *oldcred, struct ucred *newcred, struct vnode *vp, struct label *interpvplabel, struct image_params *imgp); int mac_vnode_execve_will_transition(struct ucred *cred, struct vnode *vp, struct label *interpvplabel, struct image_params *imgp); void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel); /* * Calls to help various file systems implement labeling functionality using * their existing EA implementation. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); #endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */ Index: head/sys/security/mac/mac_vfs.c =================================================================== --- head/sys/security/mac/mac_vfs.c (revision 357888) +++ head/sys/security/mac/mac_vfs.c (revision 357889) @@ -1,1070 +1,1081 @@ /*- * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by McAfee * Research, the Security Research Division of McAfee, Inc. under * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * * This software was developed at the University of Cambridge Computer * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include "opt_mac.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * Warn about EA transactions only the first time they happen. No locking on * this variable. */ static int ea_warn_once = 0; static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); static struct label * mac_devfs_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); MAC_POLICY_PERFORM(devfs_init_label, label); return (label); } void mac_devfs_init(struct devfs_dirent *de) { if (mac_labeled & MPC_OBJECT_DEVFS) de->de_label = mac_devfs_label_alloc(); else de->de_label = NULL; } static struct label * mac_mount_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); MAC_POLICY_PERFORM(mount_init_label, label); return (label); } void mac_mount_init(struct mount *mp) { if (mac_labeled & MPC_OBJECT_MOUNT) mp->mnt_label = mac_mount_label_alloc(); else mp->mnt_label = NULL; } struct label * mac_vnode_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); MAC_POLICY_PERFORM(vnode_init_label, label); return (label); } void mac_vnode_init(struct vnode *vp) { if (mac_labeled & MPC_OBJECT_VNODE) vp->v_label = mac_vnode_label_alloc(); else vp->v_label = NULL; } static void mac_devfs_label_free(struct label *label) { MAC_POLICY_PERFORM_NOSLEEP(devfs_destroy_label, label); mac_labelzone_free(label); } void mac_devfs_destroy(struct devfs_dirent *de) { if (de->de_label != NULL) { mac_devfs_label_free(de->de_label); de->de_label = NULL; } } static void mac_mount_label_free(struct label *label) { MAC_POLICY_PERFORM_NOSLEEP(mount_destroy_label, label); mac_labelzone_free(label); } void mac_mount_destroy(struct mount *mp) { if (mp->mnt_label != NULL) { mac_mount_label_free(mp->mnt_label); mp->mnt_label = NULL; } } void mac_vnode_label_free(struct label *label) { MAC_POLICY_PERFORM_NOSLEEP(vnode_destroy_label, label); mac_labelzone_free(label); } void mac_vnode_destroy(struct vnode *vp) { if (vp->v_label != NULL) { mac_vnode_label_free(vp->v_label); vp->v_label = NULL; } } void mac_vnode_copy_label(struct label *src, struct label *dest) { MAC_POLICY_PERFORM_NOSLEEP(vnode_copy_label, src, dest); } int mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; MAC_POLICY_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen); return (error); } int mac_vnode_internalize_label(struct label *label, char *string) { int error; MAC_POLICY_INTERNALIZE(vnode, label, string); return (error); } void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { MAC_POLICY_PERFORM_NOSLEEP(devfs_update, mp, de, de->de_label, vp, vp->v_label); } void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { MAC_POLICY_PERFORM_NOSLEEP(devfs_vnode_associate, mp, mp->mnt_label, de, de->de_label, vp, vp->v_label); } int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr"); MAC_POLICY_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp, vp->v_label); return (error); } void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp) { MAC_POLICY_PERFORM_NOSLEEP(vnode_associate_singlelabel, mp, mp->mnt_label, vp, vp->v_label); } /* * Functions implementing extended-attribute backed labels for file systems * that support it. * * Where possible, we use EA transactions to make writes to multiple * attributes across difference policies mutually atomic. We allow work to * continue on file systems not supporting EA transactions, but generate a * printf warning. */ int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr"); ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { if (ea_warn_once == 0) { printf("Warning: transactions not supported " "in EA write.\n"); ea_warn_once = 1; } } else if (error) return (error); MAC_POLICY_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); return (error); } error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); if (error == EOPNOTSUPP) error = 0; return (error); } static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { if (ea_warn_once == 0) { printf("Warning: transactions not supported " "in EA write.\n"); ea_warn_once = 1; } } else if (error) return (error); MAC_POLICY_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); return (error); } error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); if (error == EOPNOTSUPP) error = 0; return (error); } void mac_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvplabel, struct image_params *imgp) { ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition"); MAC_POLICY_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label, interpvplabel, imgp, imgp->execlabel); } int mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *interpvplabel, struct image_params *imgp) { int result; ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition"); result = 0; /* No sleeping since the process lock will be held by the caller. */ MAC_POLICY_BOOLEAN_NOSLEEP(vnode_execve_will_transition, ||, old, vp, vp->v_label, interpvplabel, imgp, imgp->execlabel); return (result); } MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *", "struct vnode *", "accmode_t"); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); MAC_POLICY_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode); MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode); return (error); } MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *", "struct vnode *"); int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir"); MAC_POLICY_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp); return (error); } MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *", "struct vnode *"); int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot"); MAC_POLICY_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label); MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *", "struct vnode *", "struct componentname *", "struct vattr *"); int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create"); MAC_POLICY_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *", "struct vnode *", "acl_type_t"); int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl"); MAC_POLICY_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *", "struct vnode *", "int", "const char *"); int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr"); MAC_POLICY_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp, attrnamespace, name); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *", "struct image_params *"); int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec"); MAC_POLICY_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *", "struct vnode *", "acl_type_t"); int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl"); MAC_POLICY_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *", "struct vnode *", "int", "const char *"); int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr"); MAC_POLICY_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, attrnamespace, name); MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp, attrnamespace, name); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *", "struct vnode *", "struct componentname *"); int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link"); ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link"); MAC_POLICY_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *", "struct vnode *", "int"); int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr"); MAC_POLICY_CHECK(vnode_check_listextattr, cred, vp, vp->v_label, attrnamespace); MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp, attrnamespace); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *", "struct vnode *", "struct componentname *"); int -mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); + if ((cnp->cn_flags & NOMACCHECK) != 0) + return (0); MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *", "int", "int"); int -mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, +mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, int flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap"); MAC_POLICY_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags); MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags); return (error); } void mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) { int result = *prot; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade"); MAC_POLICY_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; } MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *", "struct vnode *", "int"); int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect"); MAC_POLICY_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *", "accmode_t"); int -mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) +mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open"); MAC_POLICY_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode); MAC_CHECK_PROBE3(vnode_check_open, error, cred, vp, accmode); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *", "struct vnode *"); int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll"); MAC_POLICY_CHECK(vnode_check_poll, active_cred, file_cred, vp, vp->v_label); MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred, vp); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *", "struct vnode *"); int -mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_read_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read"); MAC_POLICY_CHECK(vnode_check_read, active_cred, file_cred, vp, vp->v_label); MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred, vp); return (error); } MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *", "struct vnode *"); int mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir"); MAC_POLICY_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp); return (error); } MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *", "struct vnode *"); int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink"); MAC_POLICY_CHECK(vnode_check_readlink, cred, vp, vp->v_label); MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *", "struct vnode *", "struct label *"); static int mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel"); MAC_POLICY_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel); MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *", "struct vnode *", "struct vnode *", "struct componentname *"); int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from"); MAC_POLICY_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *", "struct vnode *", "struct vnode *", "struct componentname *"); int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to"); MAC_POLICY_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp); return (error); } MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *", "struct vnode *"); int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke"); MAC_POLICY_CHECK(vnode_check_revoke, cred, vp, vp->v_label); MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *", "struct vnode *", "acl_type_t", "struct acl *"); int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl"); MAC_POLICY_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *", "struct vnode *", "int", "const char *"); int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr"); MAC_POLICY_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, attrnamespace, name); MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp, attrnamespace, name); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *", "struct vnode *", "u_long"); int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags"); MAC_POLICY_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *", "struct vnode *", "mode_t"); int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode"); MAC_POLICY_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *", "struct vnode *", "uid_t", "gid_t"); int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner"); MAC_POLICY_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *", "struct vnode *", "struct timespec *", "struct timespec *"); int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes"); MAC_POLICY_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime, &mtime); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *", "struct vnode *"); int -mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat"); MAC_POLICY_CHECK(vnode_check_stat, active_cred, file_cred, vp, vp->v_label); MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred, vp); return (error); } MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *", "struct vnode *", "struct vnode *", "struct componentname *"); int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink"); ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink"); MAC_POLICY_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp); return (error); } MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *", "struct ucred *", "struct vnode *"); int -mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_write_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write"); MAC_POLICY_CHECK(vnode_check_write, active_cred, file_cred, vp, vp->v_label); MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred, vp); return (error); } void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } void mac_mount_create(struct ucred *cred, struct mount *mp) { MAC_POLICY_PERFORM(mount_create, cred, mp, mp->mnt_label); } MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *", "struct mount *"); int mac_mount_check_stat(struct ucred *cred, struct mount *mount) { int error; MAC_POLICY_CHECK_NOSLEEP(mount_check_stat, cred, mount, mount->mnt_label); MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount); return (error); } void mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de) { MAC_POLICY_PERFORM_NOSLEEP(devfs_create_device, cred, mp, dev, de, de->de_label); } void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { MAC_POLICY_PERFORM_NOSLEEP(devfs_create_symlink, cred, mp, dd, dd->de_label, de, de->de_label); } void mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de) { MAC_POLICY_PERFORM_NOSLEEP(devfs_create_directory, mp, dirname, dirnamelen, de, de->de_label); } /* * Implementation of VOP_SETLABEL() that relies on extended attributes to * store label data. Can be referenced by filesystems supporting extended * attributes. */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap) { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; int error; ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel); if (error) return (error); mac_vnode_relabel(ap->a_cred, vp, intlabel); return (0); } int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) { int error; if (vp->v_mount == NULL) { /* printf("vn_setlabel: null v_mount\n"); */ if (vp->v_type != VNON) printf("vn_setlabel: null v_mount with non-VNON\n"); return (EBADF); } if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); /* * Multi-phase commit. First check the policies to confirm the * change is OK. Then commit via the filesystem. Finally, update * the actual vnode label. * * Question: maybe the filesystem should update the vnode at the end * as part of VOP_SETLABEL()? */ error = mac_vnode_check_relabel(cred, vp, intlabel); if (error) return (error); /* * VADMIN provides the opportunity for the filesystem to make * decisions about who is and is not able to modify labels and * protections on files. This might not be right. We can't assume * VOP_SETLABEL() will do it, because we might implement that as part * of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) return (error); error = VOP_SETLABEL(vp, intlabel, cred, curthread); if (error) return (error); return (0); } + +#ifdef DEBUG_VFS_LOCKS +void +mac_vnode_assert_locked(struct vnode *vp, const char *func) +{ + + ASSERT_VOP_LOCKED(vp, func); +} +#endif