2 * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005-2006 SPARTA, Inc.
6 * Copyright (c) 2008 Apple Inc.
9 * This software was developed by Robert Watson and Ilmar Habibulin for the
12 * This software was developed for the FreeBSD Project in part by Network
13 * Associates Laboratories, the Security Research Division of Network
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
15 * as part of the DARPA CHATS research program.
17 * This software was enhanced by SPARTA ISSO under SPAWAR contract
18 * N66001-04-C-6019 ("SEFOS").
20 * This software was developed at the University of Cambridge Computer
21 * Laboratory with support from a grant from Google, Inc.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
45 #include <sys/cdefs.h>
46 __FBSDID("$FreeBSD$");
50 #include <sys/param.h>
51 #include <sys/capsicum.h>
52 #include <sys/fcntl.h>
53 #include <sys/kernel.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
59 #include <sys/systm.h>
60 #include <sys/sysctl.h>
61 #include <sys/sysproto.h>
62 #include <sys/sysent.h>
63 #include <sys/vnode.h>
64 #include <sys/mount.h>
66 #include <sys/namei.h>
67 #include <sys/socket.h>
69 #include <sys/socketvar.h>
71 #include <security/mac/mac_framework.h>
72 #include <security/mac/mac_internal.h>
73 #include <security/mac/mac_policy.h>
77 FEATURE(security_mac, "Mandatory Access Control Framework support");
79 static int kern___mac_get_path(struct thread *td, const char *path_p,
80 struct mac *mac_p, int follow);
81 static int kern___mac_set_path(struct thread *td, const char *path_p,
82 struct mac *mac_p, int follow);
85 sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
87 char *elements, *buffer;
93 error = copyin(uap->mac_p, &mac, sizeof(mac));
97 error = mac_check_structmac_consistent(&mac);
101 tproc = pfind(uap->pid);
105 tcred = NULL; /* Satisfy gcc. */
106 error = p_cansee(td, tproc);
108 tcred = crhold(tproc->p_ucred);
113 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
114 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
116 free(elements, M_MACTEMP);
121 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
122 error = mac_cred_externalize_label(tcred->cr_label, elements,
123 buffer, mac.m_buflen);
125 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
127 free(buffer, M_MACTEMP);
128 free(elements, M_MACTEMP);
134 sys___mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
136 char *elements, *buffer;
140 error = copyin(uap->mac_p, &mac, sizeof(mac));
144 error = mac_check_structmac_consistent(&mac);
148 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
149 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
151 free(elements, M_MACTEMP);
155 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
156 error = mac_cred_externalize_label(td->td_ucred->cr_label,
157 elements, buffer, mac.m_buflen);
159 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
161 free(buffer, M_MACTEMP);
162 free(elements, M_MACTEMP);
167 sys___mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
169 struct ucred *newcred, *oldcred;
170 struct label *intlabel;
176 if (!(mac_labeled & MPC_OBJECT_CRED))
179 error = copyin(uap->mac_p, &mac, sizeof(mac));
183 error = mac_check_structmac_consistent(&mac);
187 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
188 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
190 free(buffer, M_MACTEMP);
194 intlabel = mac_cred_label_alloc();
195 error = mac_cred_internalize_label(intlabel, buffer);
196 free(buffer, M_MACTEMP);
204 oldcred = p->p_ucred;
206 error = mac_cred_check_relabel(oldcred, intlabel);
214 crcopy(newcred, oldcred);
215 mac_cred_relabel(newcred, intlabel);
216 proc_set_cred(p, newcred);
220 mac_proc_vm_revoke(td);
223 mac_cred_label_free(intlabel);
228 sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
230 char *elements, *buffer;
231 struct label *intlabel;
240 error = copyin(uap->mac_p, &mac, sizeof(mac));
244 error = mac_check_structmac_consistent(&mac);
248 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
249 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
251 free(elements, M_MACTEMP);
255 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
256 error = fget(td, uap->fd, cap_rights_init_one(&rights, CAP_MAC_GET),
261 switch (fp->f_type) {
264 if (!(mac_labeled & MPC_OBJECT_VNODE)) {
269 intlabel = mac_vnode_label_alloc();
270 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
271 mac_vnode_copy_label(vp->v_label, intlabel);
273 error = mac_vnode_externalize_label(intlabel, elements,
274 buffer, mac.m_buflen);
275 mac_vnode_label_free(intlabel);
279 if (!(mac_labeled & MPC_OBJECT_PIPE)) {
284 intlabel = mac_pipe_label_alloc();
286 mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel);
288 error = mac_pipe_externalize_label(intlabel, elements,
289 buffer, mac.m_buflen);
290 mac_pipe_label_free(intlabel);
294 if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
299 intlabel = mac_socket_label_alloc(M_WAITOK);
301 mac_socket_copy_label(so->so_label, intlabel);
303 error = mac_socket_externalize_label(intlabel, elements,
304 buffer, mac.m_buflen);
305 mac_socket_label_free(intlabel);
312 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
316 free(buffer, M_MACTEMP);
317 free(elements, M_MACTEMP);
322 sys___mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
325 return (kern___mac_get_path(td, uap->path_p, uap->mac_p, FOLLOW));
329 sys___mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
332 return (kern___mac_get_path(td, uap->path_p, uap->mac_p, NOFOLLOW));
336 kern___mac_get_path(struct thread *td, const char *path_p, struct mac *mac_p,
339 char *elements, *buffer;
341 struct label *intlabel;
345 if (!(mac_labeled & MPC_OBJECT_VNODE))
348 error = copyin(mac_p, &mac, sizeof(mac));
352 error = mac_check_structmac_consistent(&mac);
356 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
357 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
359 free(elements, M_MACTEMP);
363 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
364 NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p, td);
369 intlabel = mac_vnode_label_alloc();
370 mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
371 error = mac_vnode_externalize_label(intlabel, elements, buffer,
374 mac_vnode_label_free(intlabel);
377 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
380 free(buffer, M_MACTEMP);
381 free(elements, M_MACTEMP);
387 sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
389 struct label *intlabel;
400 error = copyin(uap->mac_p, &mac, sizeof(mac));
404 error = mac_check_structmac_consistent(&mac);
408 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
409 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
411 free(buffer, M_MACTEMP);
415 error = fget(td, uap->fd, cap_rights_init_one(&rights, CAP_MAC_SET),
420 switch (fp->f_type) {
423 if (!(mac_labeled & MPC_OBJECT_VNODE)) {
427 intlabel = mac_vnode_label_alloc();
428 error = mac_vnode_internalize_label(intlabel, buffer);
430 mac_vnode_label_free(intlabel);
434 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
436 mac_vnode_label_free(intlabel);
439 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
440 error = vn_setlabel(vp, intlabel, td->td_ucred);
442 vn_finished_write(mp);
443 mac_vnode_label_free(intlabel);
447 if (!(mac_labeled & MPC_OBJECT_PIPE)) {
451 intlabel = mac_pipe_label_alloc();
452 error = mac_pipe_internalize_label(intlabel, buffer);
456 error = mac_pipe_label_set(td->td_ucred,
457 pipe->pipe_pair, intlabel);
460 mac_pipe_label_free(intlabel);
464 if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
468 intlabel = mac_socket_label_alloc(M_WAITOK);
469 error = mac_socket_internalize_label(intlabel, buffer);
472 error = mac_socket_label_set(td->td_ucred, so,
475 mac_socket_label_free(intlabel);
484 free(buffer, M_MACTEMP);
489 sys___mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
492 return (kern___mac_set_path(td, uap->path_p, uap->mac_p, FOLLOW));
496 sys___mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
499 return (kern___mac_set_path(td, uap->path_p, uap->mac_p, NOFOLLOW));
503 kern___mac_set_path(struct thread *td, const char *path_p, struct mac *mac_p,
506 struct label *intlabel;
513 if (!(mac_labeled & MPC_OBJECT_VNODE))
516 error = copyin(mac_p, &mac, sizeof(mac));
520 error = mac_check_structmac_consistent(&mac);
524 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
525 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
527 free(buffer, M_MACTEMP);
531 intlabel = mac_vnode_label_alloc();
532 error = mac_vnode_internalize_label(intlabel, buffer);
533 free(buffer, M_MACTEMP);
537 NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p, td);
540 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
542 error = vn_setlabel(nd.ni_vp, intlabel,
544 vn_finished_write(mp);
550 mac_vnode_label_free(intlabel);
555 sys_mac_syscall(struct thread *td, struct mac_syscall_args *uap)
557 struct mac_policy_conf *mpc;
558 char target[MAC_MAX_POLICY_NAME];
561 error = copyinstr(uap->policy, target, sizeof(target), NULL);
566 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {
567 if (strcmp(mpc->mpc_name, target) == 0 &&
568 mpc->mpc_ops->mpo_syscall != NULL) {
569 error = mpc->mpc_ops->mpo_syscall(td,
570 uap->call, uap->arg);
575 if (!LIST_EMPTY(&mac_policy_list)) {
576 mac_policy_slock_sleep();
577 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
578 if (strcmp(mpc->mpc_name, target) == 0 &&
579 mpc->mpc_ops->mpo_syscall != NULL) {
580 error = mpc->mpc_ops->mpo_syscall(td,
581 uap->call, uap->arg);
585 mac_policy_sunlock_sleep();
594 sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
601 sys___mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
608 sys___mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
615 sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
622 sys___mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
629 sys___mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
636 sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
643 sys___mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
650 sys___mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
657 sys_mac_syscall(struct thread *td, struct mac_syscall_args *uap)
projects / FreeBSD / FreeBSD.git / blob