2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002-2005 Networks Associates Technology, Inc.
7 * This software was developed for the FreeBSD Project by Network Associates
8 * Laboratories, the Security Research Division of Network Associates, Inc.
9 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
10 * DARPA CHATS research program.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/param.h>
36 #include <sys/errno.h>
39 #include <sys/sysctl.h>
40 #include <sys/ucred.h>
42 #include <sys/mount.h>
44 #include <security/mac_bsdextended/mac_bsdextended.h>
55 * Text format for rules: rules contain subject and object elements, mode.
56 * The total form is "subject [s_element] object [o_element] mode [mode]".
57 * At least * one of a uid or gid entry must be present; both may also be
61 #define MIB "security.mac.bsdextended"
64 bsde_rule_to_string(struct mac_bsdextended_rule *rule, char *buf, size_t buflen)
68 struct statfs *mntbuf;
69 char *cur, type[sizeof(rule->mbr_object.mbo_type) * CHAR_BIT + 1];
71 int anymode, unknownmode, numfs, i, notdone;
76 len = snprintf(cur, left, "subject ");
77 if (len < 0 || len > left)
81 if (rule->mbr_subject.mbs_flags) {
82 if (rule->mbr_subject.mbs_neg == MBS_ALL_FLAGS) {
83 len = snprintf(cur, left, "not ");
84 if (len < 0 || len > left)
93 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_UID_DEFINED)) {
94 len = snprintf(cur, left, "! ");
95 if (len < 0 || len > left)
100 if (rule->mbr_subject.mbs_flags & MBO_UID_DEFINED) {
101 pwd = getpwuid(rule->mbr_subject.mbs_uid_min);
103 len = snprintf(cur, left, "uid %s",
105 if (len < 0 || len > left)
110 len = snprintf(cur, left, "uid %u",
111 rule->mbr_subject.mbs_uid_min);
112 if (len < 0 || len > left)
117 if (rule->mbr_subject.mbs_uid_min !=
118 rule->mbr_subject.mbs_uid_max) {
119 pwd = getpwuid(rule->mbr_subject.mbs_uid_max);
121 len = snprintf(cur, left, ":%s ",
123 if (len < 0 || len > left)
128 len = snprintf(cur, left, ":%u ",
129 rule->mbr_subject.mbs_uid_max);
130 if (len < 0 || len > left)
136 len = snprintf(cur, left, " ");
137 if (len < 0 || len > left)
143 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_GID_DEFINED)) {
144 len = snprintf(cur, left, "! ");
145 if (len < 0 || len > left)
150 if (rule->mbr_subject.mbs_flags & MBO_GID_DEFINED) {
151 grp = getgrgid(rule->mbr_subject.mbs_gid_min);
153 len = snprintf(cur, left, "gid %s",
155 if (len < 0 || len > left)
160 len = snprintf(cur, left, "gid %u",
161 rule->mbr_subject.mbs_gid_min);
162 if (len < 0 || len > left)
167 if (rule->mbr_subject.mbs_gid_min !=
168 rule->mbr_subject.mbs_gid_max) {
169 grp = getgrgid(rule->mbr_subject.mbs_gid_max);
171 len = snprintf(cur, left, ":%s ",
173 if (len < 0 || len > left)
178 len = snprintf(cur, left, ":%u ",
179 rule->mbr_subject.mbs_gid_max);
180 if (len < 0 || len > left)
186 len = snprintf(cur, left, " ");
187 if (len < 0 || len > left)
193 if (!notdone && (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)) {
194 len = snprintf(cur, left, "! ");
195 if (len < 0 || len > left)
200 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
201 len = snprintf(cur, left, "jailid %d ",
202 rule->mbr_subject.mbs_prison);
203 if (len < 0 || len > left)
210 len = snprintf(cur, left, "object ");
211 if (len < 0 || len > left)
215 if (rule->mbr_object.mbo_flags) {
216 if (rule->mbr_object.mbo_neg == MBO_ALL_FLAGS) {
217 len = snprintf(cur, left, "not ");
218 if (len < 0 || len > left)
227 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)) {
228 len = snprintf(cur, left, "! ");
229 if (len < 0 || len > left)
234 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
235 pwd = getpwuid(rule->mbr_object.mbo_uid_min);
237 len = snprintf(cur, left, "uid %s",
239 if (len < 0 || len > left)
244 len = snprintf(cur, left, "uid %u",
245 rule->mbr_object.mbo_uid_min);
246 if (len < 0 || len > left)
251 if (rule->mbr_object.mbo_uid_min !=
252 rule->mbr_object.mbo_uid_max) {
253 pwd = getpwuid(rule->mbr_object.mbo_uid_max);
255 len = snprintf(cur, left, ":%s ",
257 if (len < 0 || len > left)
262 len = snprintf(cur, left, ":%u ",
263 rule->mbr_object.mbo_uid_max);
264 if (len < 0 || len > left)
270 len = snprintf(cur, left, " ");
271 if (len < 0 || len > left)
277 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)) {
278 len = snprintf(cur, left, "! ");
279 if (len < 0 || len > left)
284 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
285 grp = getgrgid(rule->mbr_object.mbo_gid_min);
287 len = snprintf(cur, left, "gid %s",
289 if (len < 0 || len > left)
294 len = snprintf(cur, left, "gid %u",
295 rule->mbr_object.mbo_gid_min);
296 if (len < 0 || len > left)
301 if (rule->mbr_object.mbo_gid_min !=
302 rule->mbr_object.mbo_gid_max) {
303 grp = getgrgid(rule->mbr_object.mbo_gid_max);
305 len = snprintf(cur, left, ":%s ",
307 if (len < 0 || len > left)
312 len = snprintf(cur, left, ":%u ",
313 rule->mbr_object.mbo_gid_max);
314 if (len < 0 || len > left)
320 len = snprintf(cur, left, " ");
321 if (len < 0 || len > left)
327 if (!notdone && (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)) {
328 len = snprintf(cur, left, "! ");
329 if (len < 0 || len > left)
334 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
335 numfs = getmntinfo(&mntbuf, MNT_NOWAIT);
336 for (i = 0; i < numfs; i++)
337 if (memcmp(&(rule->mbr_object.mbo_fsid),
339 sizeof(mntbuf[i].f_fsid)) == 0)
341 len = snprintf(cur, left, "filesys %s ",
342 i == numfs ? "???" : mntbuf[i].f_mntonname);
343 if (len < 0 || len > left)
348 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SUID)) {
349 len = snprintf(cur, left, "! ");
350 if (len < 0 || len > left)
355 if (rule->mbr_object.mbo_flags & MBO_SUID) {
356 len = snprintf(cur, left, "suid ");
357 if (len < 0 || len > left)
362 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SGID)) {
363 len = snprintf(cur, left, "! ");
364 if (len < 0 || len > left)
369 if (rule->mbr_object.mbo_flags & MBO_SGID) {
370 len = snprintf(cur, left, "sgid ");
371 if (len < 0 || len > left)
376 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)) {
377 len = snprintf(cur, left, "! ");
378 if (len < 0 || len > left)
383 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
384 len = snprintf(cur, left, "uid_of_subject ");
385 if (len < 0 || len > left)
390 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)) {
391 len = snprintf(cur, left, "! ");
392 if (len < 0 || len > left)
397 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
398 len = snprintf(cur, left, "gid_of_subject ");
399 if (len < 0 || len > left)
404 if (!notdone && (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)) {
405 len = snprintf(cur, left, "! ");
406 if (len < 0 || len > left)
411 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
413 if (rule->mbr_object.mbo_type & MBO_TYPE_REG)
415 if (rule->mbr_object.mbo_type & MBO_TYPE_DIR)
417 if (rule->mbr_object.mbo_type & MBO_TYPE_BLK)
419 if (rule->mbr_object.mbo_type & MBO_TYPE_CHR)
421 if (rule->mbr_object.mbo_type & MBO_TYPE_LNK)
423 if (rule->mbr_object.mbo_type & MBO_TYPE_SOCK)
425 if (rule->mbr_object.mbo_type & MBO_TYPE_FIFO)
427 if (rule->mbr_object.mbo_type == MBO_ALL_TYPE) {
432 len = snprintf(cur, left, "type %s ", type);
433 if (len < 0 || len > left)
440 len = snprintf(cur, left, "mode ");
441 if (len < 0 || len > left)
446 anymode = (rule->mbr_mode & MBI_ALLPERM);
447 unknownmode = (rule->mbr_mode & ~MBI_ALLPERM);
449 if (rule->mbr_mode & MBI_ADMIN) {
450 len = snprintf(cur, left, "a");
451 if (len < 0 || len > left)
457 if (rule->mbr_mode & MBI_READ) {
458 len = snprintf(cur, left, "r");
459 if (len < 0 || len > left)
465 if (rule->mbr_mode & MBI_STAT) {
466 len = snprintf(cur, left, "s");
467 if (len < 0 || len > left)
473 if (rule->mbr_mode & MBI_WRITE) {
474 len = snprintf(cur, left, "w");
475 if (len < 0 || len > left)
481 if (rule->mbr_mode & MBI_EXEC) {
482 len = snprintf(cur, left, "x");
483 if (len < 0 || len > left)
490 len = snprintf(cur, left, "n");
491 if (len < 0 || len > left)
498 len = snprintf(cur, left, "?");
499 if (len < 0 || len > left)
513 bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max,
514 size_t buflen, char *errstr){
517 char *spec1, *spec2, *endp;
521 spec1 = strsep(&spec2, ":");
523 pwd = getpwnam(spec1);
527 value = strtoul(spec1, &endp, 10);
529 snprintf(errstr, buflen, "invalid uid: '%s'", spec1);
540 pwd = getpwnam(spec2);
544 value = strtoul(spec2, &endp, 10);
546 snprintf(errstr, buflen, "invalid uid: '%s'", spec2);
559 bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max,
560 size_t buflen, char *errstr){
563 char *spec1, *spec2, *endp;
567 spec1 = strsep(&spec2, ":");
569 grp = getgrnam(spec1);
573 value = strtoul(spec1, &endp, 10);
575 snprintf(errstr, buflen, "invalid gid: '%s'", spec1);
586 grp = getgrnam(spec2);
590 value = strtoul(spec2, &endp, 10);
592 snprintf(errstr, buflen, "invalid gid: '%s'", spec2);
605 bsde_get_jailid(const char *name, size_t buflen, char *errstr)
609 struct iovec jiov[4];
611 /* Copy jail_getid(3) instead of messing with library dependancies */
612 jid = strtoul(name, &ep, 10);
615 jiov[0].iov_base = __DECONST(char *, "name");
616 jiov[0].iov_len = sizeof("name");
617 jiov[1].iov_len = strlen(name) + 1;
618 jiov[1].iov_base = alloca(jiov[1].iov_len);
619 strcpy(jiov[1].iov_base, name);
620 if (errstr && buflen) {
621 jiov[2].iov_base = __DECONST(char *, "errmsg");
622 jiov[2].iov_len = sizeof("errmsg");
623 jiov[3].iov_base = errstr;
624 jiov[3].iov_len = buflen;
626 jid = jail_get(jiov, 4, 0);
627 if (jid < 0 && !errstr[0])
628 snprintf(errstr, buflen, "jail_get: %s",
631 jid = jail_get(jiov, 2, 0);
636 bsde_parse_subject(int argc, char *argv[],
637 struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
640 int current, neg, nextnot;
641 uid_t uid_min, uid_max;
642 gid_t gid_min, gid_max;
650 if (strcmp("not", argv[current]) == 0) {
656 while (current < argc) {
657 if (strcmp(argv[current], "uid") == 0) {
658 if (current + 2 > argc) {
659 snprintf(errstr, buflen, "uid short");
662 if (flags & MBS_UID_DEFINED) {
663 snprintf(errstr, buflen, "one uid only");
666 if (bsde_parse_uidrange(argv[current+1],
667 &uid_min, &uid_max, buflen, errstr) < 0)
669 flags |= MBS_UID_DEFINED;
671 neg ^= MBS_UID_DEFINED;
675 } else if (strcmp(argv[current], "gid") == 0) {
676 if (current + 2 > argc) {
677 snprintf(errstr, buflen, "gid short");
680 if (flags & MBS_GID_DEFINED) {
681 snprintf(errstr, buflen, "one gid only");
684 if (bsde_parse_gidrange(argv[current+1],
685 &gid_min, &gid_max, buflen, errstr) < 0)
687 flags |= MBS_GID_DEFINED;
689 neg ^= MBS_GID_DEFINED;
693 } else if (strcmp(argv[current], "jailid") == 0) {
694 if (current + 2 > argc) {
695 snprintf(errstr, buflen, "prison short");
698 if (flags & MBS_PRISON_DEFINED) {
699 snprintf(errstr, buflen, "one jail only");
702 jid = bsde_get_jailid(argv[current+1], buflen, errstr);
705 flags |= MBS_PRISON_DEFINED;
707 neg ^= MBS_PRISON_DEFINED;
711 } else if (strcmp(argv[current], "!") == 0) {
713 snprintf(errstr, buflen, "double negative");
719 snprintf(errstr, buflen, "'%s' not expected",
725 subject->mbs_flags = flags;
727 subject->mbs_neg = MBS_ALL_FLAGS ^ neg;
729 subject->mbs_neg = neg;
730 if (flags & MBS_UID_DEFINED) {
731 subject->mbs_uid_min = uid_min;
732 subject->mbs_uid_max = uid_max;
734 if (flags & MBS_GID_DEFINED) {
735 subject->mbs_gid_min = gid_min;
736 subject->mbs_gid_max = gid_max;
738 if (flags & MBS_PRISON_DEFINED)
739 subject->mbs_prison = jid;
745 bsde_parse_type(char *spec, int *type, size_t buflen, char *errstr)
750 for (i = 0; i < strlen(spec); i++) {
754 *type |= MBO_TYPE_REG;
757 *type |= MBO_TYPE_DIR;
760 *type |= MBO_TYPE_BLK;
763 *type |= MBO_TYPE_CHR;
766 *type |= MBO_TYPE_LNK;
769 *type |= MBO_TYPE_SOCK;
772 *type |= MBO_TYPE_FIFO;
775 *type |= MBO_ALL_TYPE;
778 snprintf(errstr, buflen, "Unknown type code: %c",
788 bsde_parse_fsid(char *spec, struct fsid *fsid, size_t buflen, char *errstr)
792 if (statfs(spec, &buf) < 0) {
793 snprintf(errstr, buflen, "Unable to get id for %s: %s",
794 spec, strerror(errno));
804 bsde_parse_object(int argc, char *argv[],
805 struct mac_bsdextended_object *object, size_t buflen, char *errstr)
808 int current, neg, nextnot;
810 uid_t uid_min, uid_max;
811 gid_t gid_min, gid_max;
820 if (strcmp("not", argv[current]) == 0) {
826 while (current < argc) {
827 if (strcmp(argv[current], "uid") == 0) {
828 if (current + 2 > argc) {
829 snprintf(errstr, buflen, "uid short");
832 if (flags & MBO_UID_DEFINED) {
833 snprintf(errstr, buflen, "one uid only");
836 if (bsde_parse_uidrange(argv[current+1],
837 &uid_min, &uid_max, buflen, errstr) < 0)
839 flags |= MBO_UID_DEFINED;
841 neg ^= MBO_UID_DEFINED;
845 } else if (strcmp(argv[current], "gid") == 0) {
846 if (current + 2 > argc) {
847 snprintf(errstr, buflen, "gid short");
850 if (flags & MBO_GID_DEFINED) {
851 snprintf(errstr, buflen, "one gid only");
854 if (bsde_parse_gidrange(argv[current+1],
855 &gid_min, &gid_max, buflen, errstr) < 0)
857 flags |= MBO_GID_DEFINED;
859 neg ^= MBO_GID_DEFINED;
863 } else if (strcmp(argv[current], "filesys") == 0) {
864 if (current + 2 > argc) {
865 snprintf(errstr, buflen, "filesys short");
868 if (flags & MBO_FSID_DEFINED) {
869 snprintf(errstr, buflen, "one fsid only");
872 if (bsde_parse_fsid(argv[current+1], &fsid,
875 flags |= MBO_FSID_DEFINED;
877 neg ^= MBO_FSID_DEFINED;
881 } else if (strcmp(argv[current], "suid") == 0) {
888 } else if (strcmp(argv[current], "sgid") == 0) {
895 } else if (strcmp(argv[current], "uid_of_subject") == 0) {
896 flags |= MBO_UID_SUBJECT;
898 neg ^= MBO_UID_SUBJECT;
902 } else if (strcmp(argv[current], "gid_of_subject") == 0) {
903 flags |= MBO_GID_SUBJECT;
905 neg ^= MBO_GID_SUBJECT;
909 } else if (strcmp(argv[current], "type") == 0) {
910 if (current + 2 > argc) {
911 snprintf(errstr, buflen, "type short");
914 if (flags & MBO_TYPE_DEFINED) {
915 snprintf(errstr, buflen, "one type only");
918 if (bsde_parse_type(argv[current+1], &type,
921 flags |= MBO_TYPE_DEFINED;
923 neg ^= MBO_TYPE_DEFINED;
927 } else if (strcmp(argv[current], "!") == 0) {
929 snprintf(errstr, buflen,
936 snprintf(errstr, buflen, "'%s' not expected",
942 object->mbo_flags = flags;
944 object->mbo_neg = MBO_ALL_FLAGS ^ neg;
946 object->mbo_neg = neg;
947 if (flags & MBO_UID_DEFINED) {
948 object->mbo_uid_min = uid_min;
949 object->mbo_uid_max = uid_max;
951 if (flags & MBO_GID_DEFINED) {
952 object->mbo_gid_min = gid_min;
953 object->mbo_gid_max = gid_max;
955 if (flags & MBO_FSID_DEFINED)
956 object->mbo_fsid = fsid;
957 if (flags & MBO_TYPE_DEFINED)
958 object->mbo_type = type;
964 bsde_parse_mode(int argc, char *argv[], mode_t *mode, size_t buflen,
970 snprintf(errstr, buflen, "mode expects mode value");
975 snprintf(errstr, buflen, "'%s' unexpected", argv[1]);
980 for (i = 0; i < strlen(argv[0]); i++) {
981 switch (argv[0][i]) {
1001 snprintf(errstr, buflen, "Unknown mode letter: %c",
1011 bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule,
1012 size_t buflen, char *errstr)
1014 int subject, subject_elements, subject_elements_length;
1015 int object, object_elements, object_elements_length;
1016 int mode, mode_elements, mode_elements_length;
1019 bzero(rule, sizeof(*rule));
1022 snprintf(errstr, buflen, "Rule must begin with subject");
1026 if (strcmp(argv[0], "subject") != 0) {
1027 snprintf(errstr, buflen, "Rule must begin with subject");
1031 subject_elements = 1;
1033 /* Search forward for object. */
1036 for (i = 1; i < argc; i++)
1037 if (strcmp(argv[i], "object") == 0)
1041 snprintf(errstr, buflen, "Rule must contain an object");
1045 /* Search forward for mode. */
1047 for (i = object; i < argc; i++)
1048 if (strcmp(argv[i], "mode") == 0)
1052 snprintf(errstr, buflen, "Rule must contain mode");
1056 subject_elements_length = object - subject - 1;
1057 object_elements = object + 1;
1058 object_elements_length = mode - object_elements;
1059 mode_elements = mode + 1;
1060 mode_elements_length = argc - mode_elements;
1062 error = bsde_parse_subject(subject_elements_length,
1063 argv + subject_elements, &rule->mbr_subject, buflen, errstr);
1067 error = bsde_parse_object(object_elements_length,
1068 argv + object_elements, &rule->mbr_object, buflen, errstr);
1072 error = bsde_parse_mode(mode_elements_length, argv + mode_elements,
1073 &rule->mbr_mode, buflen, errstr);
1081 bsde_parse_rule_string(const char *string, struct mac_bsdextended_rule *rule,
1082 size_t buflen, char *errstr)
1084 char *stringdup, *stringp, *argv[100], **ap;
1087 stringp = stringdup = strdup(string);
1088 while (*stringp == ' ' || *stringp == '\t')
1092 for (ap = argv; (*ap = strsep(&stringp, " \t")) != NULL;) {
1095 if (++ap >= &argv[100])
1099 error = bsde_parse_rule(argc, argv, rule, buflen, errstr);
1107 bsde_get_mib(const char *string, int *name, size_t *namelen)
1113 error = sysctlnametomib(string, name, &len);
1122 bsde_check_version(size_t buflen, char *errstr)
1128 len = sizeof(version);
1129 error = sysctlbyname(MIB ".rule_version", &version, &len, NULL, 0);
1131 snprintf(errstr, buflen, "version check failed: %s",
1135 if (version != MB_VERSION) {
1136 snprintf(errstr, buflen, "module v%d != library v%d",
1137 version, MB_VERSION);
1144 bsde_get_rule_count(size_t buflen, char *errstr)
1150 len = sizeof(rule_count);
1151 error = sysctlbyname(MIB ".rule_count", &rule_count, &len, NULL, 0);
1153 snprintf(errstr, buflen, "%s", strerror(errno));
1156 if (len != sizeof(rule_count)) {
1157 snprintf(errstr, buflen, "Data error in %s.rule_count",
1162 return (rule_count);
1166 bsde_get_rule_slots(size_t buflen, char *errstr)
1172 len = sizeof(rule_slots);
1173 error = sysctlbyname(MIB ".rule_slots", &rule_slots, &len, NULL, 0);
1175 snprintf(errstr, buflen, "%s", strerror(errno));
1178 if (len != sizeof(rule_slots)) {
1179 snprintf(errstr, buflen, "Data error in %s.rule_slots", MIB);
1183 return (rule_slots);
1187 * Returns 0 for success;
1188 * Returns -1 for failure;
1189 * Returns -2 for not present
1192 bsde_get_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t errlen,
1199 if (bsde_check_version(errlen, errstr) != 0)
1203 error = bsde_get_mib(MIB ".rules", name, &len);
1205 snprintf(errstr, errlen, "%s: %s", MIB ".rules",
1210 size = sizeof(*rule);
1211 name[len] = rulenum;
1213 error = sysctl(name, len, rule, &size, NULL, 0);
1214 if (error == -1 && errno == ENOENT)
1217 snprintf(errstr, errlen, "%s.%d: %s", MIB ".rules",
1218 rulenum, strerror(errno));
1220 } else if (size != sizeof(*rule)) {
1221 snprintf(errstr, errlen, "Data error in %s.%d: %s",
1222 MIB ".rules", rulenum, strerror(errno));
1230 bsde_delete_rule(int rulenum, size_t buflen, char *errstr)
1232 struct mac_bsdextended_rule rule;
1237 if (bsde_check_version(buflen, errstr) != 0)
1241 error = bsde_get_mib(MIB ".rules", name, &len);
1243 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1248 name[len] = rulenum;
1251 error = sysctl(name, len, NULL, NULL, &rule, 0);
1253 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1254 rulenum, strerror(errno));
1262 bsde_set_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1269 if (bsde_check_version(buflen, errstr) != 0)
1273 error = bsde_get_mib(MIB ".rules", name, &len);
1275 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1280 name[len] = rulenum;
1283 error = sysctl(name, len, NULL, NULL, rule, sizeof(*rule));
1285 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1286 rulenum, strerror(errno));
1294 bsde_add_rule(int *rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1297 char charstr[BUFSIZ];
1300 int error, rule_slots;
1302 if (bsde_check_version(buflen, errstr) != 0)
1306 error = bsde_get_mib(MIB ".rules", name, &len);
1308 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1313 rule_slots = bsde_get_rule_slots(BUFSIZ, charstr);
1314 if (rule_slots == -1) {
1315 snprintf(errstr, buflen, "unable to get rule slots: %s",
1320 name[len] = rule_slots;
1323 error = sysctl(name, len, NULL, NULL, rule, sizeof(*rule));
1325 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1326 rule_slots, strerror(errno));
1330 if (rulenum != NULL)
1331 *rulenum = rule_slots;
projects / FreeBSD / FreeBSD.git / blob