2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
5 * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
8 * This software was developed by Robert Watson for the TrustedBSD Project.
10 * This software was developed for the FreeBSD Project in part by Network
11 * Associates Laboratories, the Security Research Division of Network
12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
13 * as part of the DARPA CHATS research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 #include <sys/cdefs.h>
38 __FBSDID("$FreeBSD$");
40 #include <sys/types.h>
41 #include <sys/queue.h>
42 #include <sys/sysctl.h>
54 static int internal_initialized;
57 * Maintain a list of default label preparations for various object
58 * types. Each name will appear only once in the list.
60 * XXXMAC: Not thread-safe.
62 static LIST_HEAD(, label_default) label_default_head;
63 struct label_default {
66 LIST_ENTRY(label_default) ld_entries;
70 mac_destroy_labels(void)
72 struct label_default *ld;
74 while ((ld = LIST_FIRST(&label_default_head))) {
77 LIST_REMOVE(ld, ld_entries);
83 mac_destroy_internal(void)
88 internal_initialized = 0;
92 mac_add_type(const char *name, const char *labels)
94 struct label_default *ld, *ld_new;
95 char *name_dup, *labels_dup;
98 * Speculatively allocate all the memory now to avoid allocating
99 * later when we will someday hold a mutex.
101 name_dup = strdup(name);
102 if (name_dup == NULL) {
106 labels_dup = strdup(labels);
107 if (labels_dup == NULL) {
112 ld_new = malloc(sizeof(*ld));
113 if (ld_new == NULL) {
121 * If the type is already present, replace the current entry
122 * rather than add a new instance.
124 for (ld = LIST_FIRST(&label_default_head); ld != NULL;
125 ld = LIST_NEXT(ld, ld_entries)) {
126 if (strcmp(name, ld->ld_name) == 0)
132 ld->ld_labels = labels_dup;
136 ld->ld_name = name_dup;
137 ld->ld_labels = labels_dup;
143 LIST_INSERT_HEAD(&label_default_head, ld, ld_entries);
146 if (name_dup != NULL)
148 if (labels_dup != NULL)
157 next_token(char **string)
161 token = strsep(string, " \t");
162 while (token != NULL && *token == '\0')
163 token = strsep(string, " \t");
169 mac_init_internal(int ignore_errors)
171 const char *filename;
178 LIST_INIT(&label_default_head);
180 if (!issetugid() && getenv("MAC_CONFFILE") != NULL)
181 filename = getenv("MAC_CONFFILE");
183 filename = MAC_CONFFILE;
184 file = fopen(filename, "re");
188 while (fgets(line, LINE_MAX, file)) {
189 char *comment, *parse, *statement;
191 if (line[strlen(line)-1] == '\n')
192 line[strlen(line)-1] = '\0';
201 /* Remove any comment. */
203 parse = strsep(&comment, "#");
205 /* Blank lines OK. */
206 statement = next_token(&parse);
207 if (statement == NULL)
210 if (strcmp(statement, "default_labels") == 0) {
213 name = next_token(&parse);
214 labels = next_token(&parse);
215 if (name == NULL || labels == NULL ||
216 next_token(&parse) != NULL) {
224 if (mac_add_type(name, labels) == -1) {
230 } else if (strcmp(statement, "default_ifnet_labels") == 0 ||
231 strcmp(statement, "default_file_labels") == 0 ||
232 strcmp(statement, "default_process_labels") == 0) {
235 if (strcmp(statement, "default_ifnet_labels") == 0)
237 else if (strcmp(statement, "default_file_labels") == 0)
239 else if (strcmp(statement, "default_process_labels") ==
243 labels = next_token(&parse);
244 if (labels == NULL || next_token(&parse) != NULL) {
252 if (mac_add_type(type, labels) == -1) {
269 internal_initialized = 1;
273 mac_destroy_internal();
278 mac_maybe_init_internal(void)
281 if (!internal_initialized)
282 return (mac_init_internal(1));
291 if (internal_initialized)
292 mac_destroy_internal();
293 return (mac_init_internal(0));
297 mac_free(struct mac *mac)
300 if (mac->m_string != NULL)
308 mac_from_text(struct mac **mac, const char *text)
311 *mac = (struct mac *) malloc(sizeof(**mac));
315 (*mac)->m_string = strdup(text);
316 if ((*mac)->m_string == NULL) {
322 (*mac)->m_buflen = strlen((*mac)->m_string)+1;
328 mac_to_text(struct mac *mac, char **text)
331 *text = strdup(mac->m_string);
338 mac_prepare(struct mac **mac, const char *elements)
341 if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN)
344 *mac = (struct mac *) malloc(sizeof(**mac));
348 (*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN);
349 if ((*mac)->m_string == NULL) {
355 strcpy((*mac)->m_string, elements);
356 (*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN;
362 mac_prepare_type(struct mac **mac, const char *name)
364 struct label_default *ld;
367 error = mac_maybe_init_internal();
371 for (ld = LIST_FIRST(&label_default_head); ld != NULL;
372 ld = LIST_NEXT(ld, ld_entries)) {
373 if (strcmp(name, ld->ld_name) == 0)
374 return (mac_prepare(mac, ld->ld_labels));
378 return (-1); /* XXXMAC: ENOLABEL */
382 mac_prepare_ifnet_label(struct mac **mac)
385 return (mac_prepare_type(mac, "ifnet"));
389 mac_prepare_file_label(struct mac **mac)
392 return (mac_prepare_type(mac, "file"));
396 mac_prepare_packet_label(struct mac **mac)
399 return (mac_prepare_type(mac, "packet"));
403 mac_prepare_process_label(struct mac **mac)
406 return (mac_prepare_type(mac, "process"));
410 * Simply test whether the TrustedBSD/MAC MIB tree is present; if so,
411 * return 1 to indicate that the system has MAC enabled overall or for
415 mac_is_present(const char *policyname)
422 if (policyname != NULL) {
423 if (policyname[strcspn(policyname, ".=")] != '\0') {
427 mibname = malloc(sizeof("security.mac.") - 1 +
428 strlen(policyname) + sizeof(".enabled"));
431 strcpy(mibname, "security.mac.");
432 strcat(mibname, policyname);
433 strcat(mibname, ".enabled");
435 error = sysctlnametomib(mibname, mib, &siz);
439 error = sysctlnametomib("security.mac", mib, &siz);
projects / FreeBSD / FreeBSD.git / blob