2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002-2005 Networks Associates Technology, Inc.
7 * This software was developed for the FreeBSD Project by Network Associates
8 * Laboratories, the Security Research Division of Network Associates, Inc.
9 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
10 * DARPA CHATS research program.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/param.h>
36 #include <sys/errno.h>
38 #include <sys/sysctl.h>
39 #include <sys/ucred.h>
40 #include <sys/mount.h>
42 #include <security/mac_bsdextended/mac_bsdextended.h>
53 * Text format for rules: rules contain subject and object elements, mode.
54 * The total form is "subject [s_element] object [o_element] mode [mode]".
55 * At least * one of a uid or gid entry must be present; both may also be
59 #define MIB "security.mac.bsdextended"
62 bsde_rule_to_string(struct mac_bsdextended_rule *rule, char *buf, size_t buflen)
66 struct statfs *mntbuf;
67 char *cur, type[sizeof(rule->mbr_object.mbo_type) * CHAR_BIT + 1];
69 int anymode, unknownmode, numfs, i, notdone;
74 len = snprintf(cur, left, "subject ");
75 if (len < 0 || len > left)
79 if (rule->mbr_subject.mbs_flags) {
80 if (rule->mbr_subject.mbs_neg == MBS_ALL_FLAGS) {
81 len = snprintf(cur, left, "not ");
82 if (len < 0 || len > left)
91 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_UID_DEFINED)) {
92 len = snprintf(cur, left, "! ");
93 if (len < 0 || len > left)
98 if (rule->mbr_subject.mbs_flags & MBO_UID_DEFINED) {
99 pwd = getpwuid(rule->mbr_subject.mbs_uid_min);
101 len = snprintf(cur, left, "uid %s",
103 if (len < 0 || len > left)
108 len = snprintf(cur, left, "uid %u",
109 rule->mbr_subject.mbs_uid_min);
110 if (len < 0 || len > left)
115 if (rule->mbr_subject.mbs_uid_min !=
116 rule->mbr_subject.mbs_uid_max) {
117 pwd = getpwuid(rule->mbr_subject.mbs_uid_max);
119 len = snprintf(cur, left, ":%s ",
121 if (len < 0 || len > left)
126 len = snprintf(cur, left, ":%u ",
127 rule->mbr_subject.mbs_uid_max);
128 if (len < 0 || len > left)
134 len = snprintf(cur, left, " ");
135 if (len < 0 || len > left)
141 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_GID_DEFINED)) {
142 len = snprintf(cur, left, "! ");
143 if (len < 0 || len > left)
148 if (rule->mbr_subject.mbs_flags & MBO_GID_DEFINED) {
149 grp = getgrgid(rule->mbr_subject.mbs_gid_min);
151 len = snprintf(cur, left, "gid %s",
153 if (len < 0 || len > left)
158 len = snprintf(cur, left, "gid %u",
159 rule->mbr_subject.mbs_gid_min);
160 if (len < 0 || len > left)
165 if (rule->mbr_subject.mbs_gid_min !=
166 rule->mbr_subject.mbs_gid_max) {
167 grp = getgrgid(rule->mbr_subject.mbs_gid_max);
169 len = snprintf(cur, left, ":%s ",
171 if (len < 0 || len > left)
176 len = snprintf(cur, left, ":%u ",
177 rule->mbr_subject.mbs_gid_max);
178 if (len < 0 || len > left)
184 len = snprintf(cur, left, " ");
185 if (len < 0 || len > left)
191 if (!notdone && (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)) {
192 len = snprintf(cur, left, "! ");
193 if (len < 0 || len > left)
198 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
199 len = snprintf(cur, left, "jailid %d ",
200 rule->mbr_subject.mbs_prison);
201 if (len < 0 || len > left)
208 len = snprintf(cur, left, "object ");
209 if (len < 0 || len > left)
213 if (rule->mbr_object.mbo_flags) {
214 if (rule->mbr_object.mbo_neg == MBO_ALL_FLAGS) {
215 len = snprintf(cur, left, "not ");
216 if (len < 0 || len > left)
225 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)) {
226 len = snprintf(cur, left, "! ");
227 if (len < 0 || len > left)
232 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
233 pwd = getpwuid(rule->mbr_object.mbo_uid_min);
235 len = snprintf(cur, left, "uid %s",
237 if (len < 0 || len > left)
242 len = snprintf(cur, left, "uid %u",
243 rule->mbr_object.mbo_uid_min);
244 if (len < 0 || len > left)
249 if (rule->mbr_object.mbo_uid_min !=
250 rule->mbr_object.mbo_uid_max) {
251 pwd = getpwuid(rule->mbr_object.mbo_uid_max);
253 len = snprintf(cur, left, ":%s ",
255 if (len < 0 || len > left)
260 len = snprintf(cur, left, ":%u ",
261 rule->mbr_object.mbo_uid_max);
262 if (len < 0 || len > left)
268 len = snprintf(cur, left, " ");
269 if (len < 0 || len > left)
275 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)) {
276 len = snprintf(cur, left, "! ");
277 if (len < 0 || len > left)
282 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
283 grp = getgrgid(rule->mbr_object.mbo_gid_min);
285 len = snprintf(cur, left, "gid %s",
287 if (len < 0 || len > left)
292 len = snprintf(cur, left, "gid %u",
293 rule->mbr_object.mbo_gid_min);
294 if (len < 0 || len > left)
299 if (rule->mbr_object.mbo_gid_min !=
300 rule->mbr_object.mbo_gid_max) {
301 grp = getgrgid(rule->mbr_object.mbo_gid_max);
303 len = snprintf(cur, left, ":%s ",
305 if (len < 0 || len > left)
310 len = snprintf(cur, left, ":%u ",
311 rule->mbr_object.mbo_gid_max);
312 if (len < 0 || len > left)
318 len = snprintf(cur, left, " ");
319 if (len < 0 || len > left)
325 if (!notdone && (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)) {
326 len = snprintf(cur, left, "! ");
327 if (len < 0 || len > left)
332 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
333 numfs = getmntinfo(&mntbuf, MNT_NOWAIT);
334 for (i = 0; i < numfs; i++)
335 if (memcmp(&(rule->mbr_object.mbo_fsid),
337 sizeof(mntbuf[i].f_fsid)) == 0)
339 len = snprintf(cur, left, "filesys %s ",
340 i == numfs ? "???" : mntbuf[i].f_mntonname);
341 if (len < 0 || len > left)
346 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SUID)) {
347 len = snprintf(cur, left, "! ");
348 if (len < 0 || len > left)
353 if (rule->mbr_object.mbo_flags & MBO_SUID) {
354 len = snprintf(cur, left, "suid ");
355 if (len < 0 || len > left)
360 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SGID)) {
361 len = snprintf(cur, left, "! ");
362 if (len < 0 || len > left)
367 if (rule->mbr_object.mbo_flags & MBO_SGID) {
368 len = snprintf(cur, left, "sgid ");
369 if (len < 0 || len > left)
374 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)) {
375 len = snprintf(cur, left, "! ");
376 if (len < 0 || len > left)
381 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
382 len = snprintf(cur, left, "uid_of_subject ");
383 if (len < 0 || len > left)
388 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)) {
389 len = snprintf(cur, left, "! ");
390 if (len < 0 || len > left)
395 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
396 len = snprintf(cur, left, "gid_of_subject ");
397 if (len < 0 || len > left)
402 if (!notdone && (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)) {
403 len = snprintf(cur, left, "! ");
404 if (len < 0 || len > left)
409 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
411 if (rule->mbr_object.mbo_type & MBO_TYPE_REG)
413 if (rule->mbr_object.mbo_type & MBO_TYPE_DIR)
415 if (rule->mbr_object.mbo_type & MBO_TYPE_BLK)
417 if (rule->mbr_object.mbo_type & MBO_TYPE_CHR)
419 if (rule->mbr_object.mbo_type & MBO_TYPE_LNK)
421 if (rule->mbr_object.mbo_type & MBO_TYPE_SOCK)
423 if (rule->mbr_object.mbo_type & MBO_TYPE_FIFO)
425 if (rule->mbr_object.mbo_type == MBO_ALL_TYPE) {
430 len = snprintf(cur, left, "type %s ", type);
431 if (len < 0 || len > left)
438 len = snprintf(cur, left, "mode ");
439 if (len < 0 || len > left)
444 anymode = (rule->mbr_mode & MBI_ALLPERM);
445 unknownmode = (rule->mbr_mode & ~MBI_ALLPERM);
447 if (rule->mbr_mode & MBI_ADMIN) {
448 len = snprintf(cur, left, "a");
449 if (len < 0 || len > left)
455 if (rule->mbr_mode & MBI_READ) {
456 len = snprintf(cur, left, "r");
457 if (len < 0 || len > left)
463 if (rule->mbr_mode & MBI_STAT) {
464 len = snprintf(cur, left, "s");
465 if (len < 0 || len > left)
471 if (rule->mbr_mode & MBI_WRITE) {
472 len = snprintf(cur, left, "w");
473 if (len < 0 || len > left)
479 if (rule->mbr_mode & MBI_EXEC) {
480 len = snprintf(cur, left, "x");
481 if (len < 0 || len > left)
488 len = snprintf(cur, left, "n");
489 if (len < 0 || len > left)
496 len = snprintf(cur, left, "?");
497 if (len < 0 || len > left)
511 bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max,
512 size_t buflen, char *errstr){
515 char *spec1, *spec2, *endp;
519 spec1 = strsep(&spec2, ":");
521 pwd = getpwnam(spec1);
525 value = strtoul(spec1, &endp, 10);
527 snprintf(errstr, buflen, "invalid uid: '%s'", spec1);
538 pwd = getpwnam(spec2);
542 value = strtoul(spec2, &endp, 10);
544 snprintf(errstr, buflen, "invalid uid: '%s'", spec2);
557 bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max,
558 size_t buflen, char *errstr){
561 char *spec1, *spec2, *endp;
565 spec1 = strsep(&spec2, ":");
567 grp = getgrnam(spec1);
571 value = strtoul(spec1, &endp, 10);
573 snprintf(errstr, buflen, "invalid gid: '%s'", spec1);
584 grp = getgrnam(spec2);
588 value = strtoul(spec2, &endp, 10);
590 snprintf(errstr, buflen, "invalid gid: '%s'", spec2);
603 bsde_parse_subject(int argc, char *argv[],
604 struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
607 int current, neg, nextnot;
609 uid_t uid_min, uid_max;
610 gid_t gid_min, gid_max;
619 if (strcmp("not", argv[current]) == 0) {
625 while (current < argc) {
626 if (strcmp(argv[current], "uid") == 0) {
627 if (current + 2 > argc) {
628 snprintf(errstr, buflen, "uid short");
631 if (flags & MBS_UID_DEFINED) {
632 snprintf(errstr, buflen, "one uid only");
635 if (bsde_parse_uidrange(argv[current+1],
636 &uid_min, &uid_max, buflen, errstr) < 0)
638 flags |= MBS_UID_DEFINED;
640 neg ^= MBS_UID_DEFINED;
644 } else if (strcmp(argv[current], "gid") == 0) {
645 if (current + 2 > argc) {
646 snprintf(errstr, buflen, "gid short");
649 if (flags & MBS_GID_DEFINED) {
650 snprintf(errstr, buflen, "one gid only");
653 if (bsde_parse_gidrange(argv[current+1],
654 &gid_min, &gid_max, buflen, errstr) < 0)
656 flags |= MBS_GID_DEFINED;
658 neg ^= MBS_GID_DEFINED;
662 } else if (strcmp(argv[current], "jailid") == 0) {
663 if (current + 2 > argc) {
664 snprintf(errstr, buflen, "prison short");
667 if (flags & MBS_PRISON_DEFINED) {
668 snprintf(errstr, buflen, "one jail only");
671 value = strtol(argv[current+1], &endp, 10);
673 snprintf(errstr, buflen, "invalid jid: '%s'",
678 flags |= MBS_PRISON_DEFINED;
680 neg ^= MBS_PRISON_DEFINED;
684 } else if (strcmp(argv[current], "!") == 0) {
686 snprintf(errstr, buflen, "double negative");
692 snprintf(errstr, buflen, "'%s' not expected",
698 subject->mbs_flags = flags;
700 subject->mbs_neg = MBS_ALL_FLAGS ^ neg;
702 subject->mbs_neg = neg;
703 if (flags & MBS_UID_DEFINED) {
704 subject->mbs_uid_min = uid_min;
705 subject->mbs_uid_max = uid_max;
707 if (flags & MBS_GID_DEFINED) {
708 subject->mbs_gid_min = gid_min;
709 subject->mbs_gid_max = gid_max;
711 if (flags & MBS_PRISON_DEFINED)
712 subject->mbs_prison = jid;
718 bsde_parse_type(char *spec, int *type, size_t buflen, char *errstr)
723 for (i = 0; i < strlen(spec); i++) {
727 *type |= MBO_TYPE_REG;
730 *type |= MBO_TYPE_DIR;
733 *type |= MBO_TYPE_BLK;
736 *type |= MBO_TYPE_CHR;
739 *type |= MBO_TYPE_LNK;
742 *type |= MBO_TYPE_SOCK;
745 *type |= MBO_TYPE_FIFO;
748 *type |= MBO_ALL_TYPE;
751 snprintf(errstr, buflen, "Unknown type code: %c",
761 bsde_parse_fsid(char *spec, struct fsid *fsid, size_t buflen, char *errstr)
765 if (statfs(spec, &buf) < 0) {
766 snprintf(errstr, buflen, "Unable to get id for %s: %s",
767 spec, strerror(errno));
777 bsde_parse_object(int argc, char *argv[],
778 struct mac_bsdextended_object *object, size_t buflen, char *errstr)
781 int current, neg, nextnot;
783 uid_t uid_min, uid_max;
784 gid_t gid_min, gid_max;
793 if (strcmp("not", argv[current]) == 0) {
799 while (current < argc) {
800 if (strcmp(argv[current], "uid") == 0) {
801 if (current + 2 > argc) {
802 snprintf(errstr, buflen, "uid short");
805 if (flags & MBO_UID_DEFINED) {
806 snprintf(errstr, buflen, "one uid only");
809 if (bsde_parse_uidrange(argv[current+1],
810 &uid_min, &uid_max, buflen, errstr) < 0)
812 flags |= MBO_UID_DEFINED;
814 neg ^= MBO_UID_DEFINED;
818 } else if (strcmp(argv[current], "gid") == 0) {
819 if (current + 2 > argc) {
820 snprintf(errstr, buflen, "gid short");
823 if (flags & MBO_GID_DEFINED) {
824 snprintf(errstr, buflen, "one gid only");
827 if (bsde_parse_gidrange(argv[current+1],
828 &gid_min, &gid_max, buflen, errstr) < 0)
830 flags |= MBO_GID_DEFINED;
832 neg ^= MBO_GID_DEFINED;
836 } else if (strcmp(argv[current], "filesys") == 0) {
837 if (current + 2 > argc) {
838 snprintf(errstr, buflen, "filesys short");
841 if (flags & MBO_FSID_DEFINED) {
842 snprintf(errstr, buflen, "one fsid only");
845 if (bsde_parse_fsid(argv[current+1], &fsid,
848 flags |= MBO_FSID_DEFINED;
850 neg ^= MBO_FSID_DEFINED;
854 } else if (strcmp(argv[current], "suid") == 0) {
861 } else if (strcmp(argv[current], "sgid") == 0) {
868 } else if (strcmp(argv[current], "uid_of_subject") == 0) {
869 flags |= MBO_UID_SUBJECT;
871 neg ^= MBO_UID_SUBJECT;
875 } else if (strcmp(argv[current], "gid_of_subject") == 0) {
876 flags |= MBO_GID_SUBJECT;
878 neg ^= MBO_GID_SUBJECT;
882 } else if (strcmp(argv[current], "type") == 0) {
883 if (current + 2 > argc) {
884 snprintf(errstr, buflen, "type short");
887 if (flags & MBO_TYPE_DEFINED) {
888 snprintf(errstr, buflen, "one type only");
891 if (bsde_parse_type(argv[current+1], &type,
894 flags |= MBO_TYPE_DEFINED;
896 neg ^= MBO_TYPE_DEFINED;
900 } else if (strcmp(argv[current], "!") == 0) {
902 snprintf(errstr, buflen,
909 snprintf(errstr, buflen, "'%s' not expected",
915 object->mbo_flags = flags;
917 object->mbo_neg = MBO_ALL_FLAGS ^ neg;
919 object->mbo_neg = neg;
920 if (flags & MBO_UID_DEFINED) {
921 object->mbo_uid_min = uid_min;
922 object->mbo_uid_max = uid_max;
924 if (flags & MBO_GID_DEFINED) {
925 object->mbo_gid_min = gid_min;
926 object->mbo_gid_max = gid_max;
928 if (flags & MBO_FSID_DEFINED)
929 object->mbo_fsid = fsid;
930 if (flags & MBO_TYPE_DEFINED)
931 object->mbo_type = type;
937 bsde_parse_mode(int argc, char *argv[], mode_t *mode, size_t buflen,
943 snprintf(errstr, buflen, "mode expects mode value");
948 snprintf(errstr, buflen, "'%s' unexpected", argv[1]);
953 for (i = 0; i < strlen(argv[0]); i++) {
954 switch (argv[0][i]) {
974 snprintf(errstr, buflen, "Unknown mode letter: %c",
984 bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule,
985 size_t buflen, char *errstr)
987 int subject, subject_elements, subject_elements_length;
988 int object, object_elements, object_elements_length;
989 int mode, mode_elements, mode_elements_length;
992 bzero(rule, sizeof(*rule));
995 snprintf(errstr, buflen, "Rule must begin with subject");
999 if (strcmp(argv[0], "subject") != 0) {
1000 snprintf(errstr, buflen, "Rule must begin with subject");
1004 subject_elements = 1;
1006 /* Search forward for object. */
1009 for (i = 1; i < argc; i++)
1010 if (strcmp(argv[i], "object") == 0)
1014 snprintf(errstr, buflen, "Rule must contain an object");
1018 /* Search forward for mode. */
1020 for (i = object; i < argc; i++)
1021 if (strcmp(argv[i], "mode") == 0)
1025 snprintf(errstr, buflen, "Rule must contain mode");
1029 subject_elements_length = object - subject - 1;
1030 object_elements = object + 1;
1031 object_elements_length = mode - object_elements;
1032 mode_elements = mode + 1;
1033 mode_elements_length = argc - mode_elements;
1035 error = bsde_parse_subject(subject_elements_length,
1036 argv + subject_elements, &rule->mbr_subject, buflen, errstr);
1040 error = bsde_parse_object(object_elements_length,
1041 argv + object_elements, &rule->mbr_object, buflen, errstr);
1045 error = bsde_parse_mode(mode_elements_length, argv + mode_elements,
1046 &rule->mbr_mode, buflen, errstr);
1054 bsde_parse_rule_string(const char *string, struct mac_bsdextended_rule *rule,
1055 size_t buflen, char *errstr)
1057 char *stringdup, *stringp, *argv[100], **ap;
1060 stringp = stringdup = strdup(string);
1061 while (*stringp == ' ' || *stringp == '\t')
1065 for (ap = argv; (*ap = strsep(&stringp, " \t")) != NULL;) {
1068 if (++ap >= &argv[100])
1072 error = bsde_parse_rule(argc, argv, rule, buflen, errstr);
1080 bsde_get_mib(const char *string, int *name, size_t *namelen)
1086 error = sysctlnametomib(string, name, &len);
1095 bsde_check_version(size_t buflen, char *errstr)
1101 len = sizeof(version);
1102 error = sysctlbyname(MIB ".rule_version", &version, &len, NULL, 0);
1104 snprintf(errstr, buflen, "version check failed: %s",
1108 if (version != MB_VERSION) {
1109 snprintf(errstr, buflen, "module v%d != library v%d",
1110 version, MB_VERSION);
1117 bsde_get_rule_count(size_t buflen, char *errstr)
1123 len = sizeof(rule_count);
1124 error = sysctlbyname(MIB ".rule_count", &rule_count, &len, NULL, 0);
1126 snprintf(errstr, buflen, "%s", strerror(errno));
1129 if (len != sizeof(rule_count)) {
1130 snprintf(errstr, buflen, "Data error in %s.rule_count",
1135 return (rule_count);
1139 bsde_get_rule_slots(size_t buflen, char *errstr)
1145 len = sizeof(rule_slots);
1146 error = sysctlbyname(MIB ".rule_slots", &rule_slots, &len, NULL, 0);
1148 snprintf(errstr, buflen, "%s", strerror(errno));
1151 if (len != sizeof(rule_slots)) {
1152 snprintf(errstr, buflen, "Data error in %s.rule_slots", MIB);
1156 return (rule_slots);
1160 * Returns 0 for success;
1161 * Returns -1 for failure;
1162 * Returns -2 for not present
1165 bsde_get_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t errlen,
1172 if (bsde_check_version(errlen, errstr) != 0)
1176 error = bsde_get_mib(MIB ".rules", name, &len);
1178 snprintf(errstr, errlen, "%s: %s", MIB ".rules",
1183 size = sizeof(*rule);
1184 name[len] = rulenum;
1186 error = sysctl(name, len, rule, &size, NULL, 0);
1187 if (error == -1 && errno == ENOENT)
1190 snprintf(errstr, errlen, "%s.%d: %s", MIB ".rules",
1191 rulenum, strerror(errno));
1193 } else if (size != sizeof(*rule)) {
1194 snprintf(errstr, errlen, "Data error in %s.%d: %s",
1195 MIB ".rules", rulenum, strerror(errno));
1203 bsde_delete_rule(int rulenum, size_t buflen, char *errstr)
1205 struct mac_bsdextended_rule rule;
1210 if (bsde_check_version(buflen, errstr) != 0)
1214 error = bsde_get_mib(MIB ".rules", name, &len);
1216 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1221 name[len] = rulenum;
1224 error = sysctl(name, len, NULL, NULL, &rule, 0);
1226 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1227 rulenum, strerror(errno));
1235 bsde_set_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1242 if (bsde_check_version(buflen, errstr) != 0)
1246 error = bsde_get_mib(MIB ".rules", name, &len);
1248 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1253 name[len] = rulenum;
1256 error = sysctl(name, len, NULL, NULL, rule, sizeof(*rule));
1258 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1259 rulenum, strerror(errno));
1267 bsde_add_rule(int *rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1270 char charstr[BUFSIZ];
1273 int error, rule_slots;
1275 if (bsde_check_version(buflen, errstr) != 0)
1279 error = bsde_get_mib(MIB ".rules", name, &len);
1281 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1286 rule_slots = bsde_get_rule_slots(BUFSIZ, charstr);
1287 if (rule_slots == -1) {
1288 snprintf(errstr, buflen, "unable to get rule slots: %s",
1293 name[len] = rule_slots;
1296 error = sysctl(name, len, NULL, NULL, rule, sizeof(*rule));
1298 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1299 rule_slots, strerror(errno));
1303 if (rulenum != NULL)
1304 *rulenum = rule_slots;
projects / FreeBSD / FreeBSD.git / blob