2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
10 * This software was developed for the FreeBSD Project in part by NAI Labs,
11 * the Security Research Division of Network Associates, Inc. under
12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
13 * CHATS research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The names of the authors may not be used to endorse or promote
24 * products derived from this software without specific prior written
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * Developed by the TrustedBSD Project.
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
50 #include <sys/param.h>
51 #include <sys/extattr.h>
52 #include <sys/kernel.h>
54 #include <sys/mutex.h>
57 #include <sys/module.h>
59 #include <sys/systm.h>
60 #include <sys/sysproto.h>
61 #include <sys/sysent.h>
62 #include <sys/vnode.h>
63 #include <sys/mount.h>
65 #include <sys/namei.h>
66 #include <sys/socket.h>
68 #include <sys/socketvar.h>
70 #include <sys/sysctl.h>
74 #include <vm/vm_map.h>
75 #include <vm/vm_object.h>
77 #include <sys/mac_policy.h>
79 #include <fs/devfs/devfs.h>
82 #include <net/bpfdesc.h>
84 #include <net/if_var.h>
86 #include <netinet/in.h>
87 #include <netinet/ip_var.h>
92 * Declare that the kernel provides MAC support, version 1. This permits
93 * modules to refuse to be loaded if the necessary support isn't present,
94 * even if it's pre-boot.
96 MODULE_VERSION(kernel_mac_support, 1);
98 SYSCTL_DECL(_security);
100 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
101 "TrustedBSD MAC policy controls");
102 SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
103 "TrustedBSD MAC debug info");
105 static int mac_debug_label_fallback = 0;
106 SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
107 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
108 "when label is corrupted.");
109 TUNABLE_INT("security.mac.debug_label_fallback",
110 &mac_debug_label_fallback);
112 #ifndef MAC_MAX_POLICIES
113 #define MAC_MAX_POLICIES 8
115 #if MAC_MAX_POLICIES > 32
116 #error "MAC_MAX_POLICIES too large"
118 static unsigned int mac_max_policies = MAC_MAX_POLICIES;
119 static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
120 SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
121 &mac_max_policies, 0, "");
123 static int mac_late = 0;
125 static int mac_enforce_fs = 1;
126 SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
127 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
128 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
130 static int mac_enforce_network = 1;
131 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
132 &mac_enforce_network, 0, "Enforce MAC policy on network packets");
133 TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
135 static int mac_enforce_process = 1;
136 SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
137 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
138 TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
140 static int mac_enforce_socket = 1;
141 SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
142 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
143 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
145 static int mac_enforce_pipe = 1;
146 SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
147 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
149 static int mac_label_size = sizeof(struct mac);
150 SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
151 &mac_label_size, 0, "Pre-compiled MAC label size");
153 static int mac_cache_fslabel_in_vnode = 1;
154 SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
155 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
156 TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
157 &mac_cache_fslabel_in_vnode);
159 static int mac_vnode_label_cache_hits = 0;
160 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
161 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
162 static int mac_vnode_label_cache_misses = 0;
163 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
164 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
165 static int mac_mmap_revocation_via_cow = 0;
166 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
167 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
168 "copy-on-write semantics, or by removing all write access");
171 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
172 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
174 SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD,
175 &nmacmbufs, 0, "number of mbufs in use");
176 SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD,
177 &nmaccreds, 0, "number of ucreds in use");
178 SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD,
179 &nmacifnets, 0, "number of ifnets in use");
180 SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD,
181 &nmacipqs, 0, "number of ipqs in use");
182 SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD,
183 &nmacbpfdescs, 0, "number of bpfdescs in use");
184 SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD,
185 &nmacsockets, 0, "number of sockets in use");
186 SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD,
187 &nmacpipes, 0, "number of pipes in use");
188 SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD,
189 &nmacmounts, 0, "number of mounts in use");
190 SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD,
191 &nmactemp, 0, "number of temporary labels in use");
192 SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD,
193 &nmacvnodes, 0, "number of vnodes in use");
194 SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD,
195 &nmacdevfsdirents, 0, "number of devfs dirents inuse");
198 static int error_select(int error1, int error2);
199 static int mac_externalize(struct label *label, struct mac *mac);
200 static int mac_policy_register(struct mac_policy_conf *mpc);
201 static int mac_policy_unregister(struct mac_policy_conf *mpc);
203 static int mac_stdcreatevnode_ea(struct vnode *vp);
204 static void mac_cred_mmapped_drop_perms(struct thread *td,
206 static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
207 struct ucred *cred, struct vm_map *map);
209 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
210 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
213 * mac_policy_list_lock protects the consistency of 'mac_policy_list',
214 * the linked list of attached policy modules. Read-only consumers of
215 * the list must acquire a shared lock for the duration of their use;
216 * writers must acquire an exclusive lock. Note that for compound
217 * operations, locks should be held for the entire compound operation,
218 * and that this is not yet done for relabel requests.
220 static struct mtx mac_policy_list_lock;
221 static LIST_HEAD(, mac_policy_conf) mac_policy_list;
222 static int mac_policy_list_busy;
223 #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \
224 "mac_policy_list_lock", NULL, MTX_DEF);
225 #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock);
226 #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock);
228 #define MAC_POLICY_LIST_BUSY() do { \
229 MAC_POLICY_LIST_LOCK(); \
230 mac_policy_list_busy++; \
231 MAC_POLICY_LIST_UNLOCK(); \
234 #define MAC_POLICY_LIST_UNBUSY() do { \
235 MAC_POLICY_LIST_LOCK(); \
236 mac_policy_list_busy--; \
237 if (mac_policy_list_busy < 0) \
238 panic("Extra mac_policy_list_busy--"); \
239 MAC_POLICY_LIST_UNLOCK(); \
243 * MAC_CHECK performs the designated check by walking the policy
244 * module list and checking with each as to how it feels about the
245 * request. Note that it returns its value via 'error' in the scope
248 #define MAC_CHECK(check, args...) do { \
249 struct mac_policy_conf *mpc; \
252 MAC_POLICY_LIST_BUSY(); \
253 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
254 if (mpc->mpc_ops->mpo_ ## check != NULL) \
255 error = error_select( \
256 mpc->mpc_ops->mpo_ ## check (args), \
259 MAC_POLICY_LIST_UNBUSY(); \
263 * MAC_BOOLEAN performs the designated boolean composition by walking
264 * the module list, invoking each instance of the operation, and
265 * combining the results using the passed C operator. Note that it
266 * returns its value via 'result' in the scope of the caller, which
267 * should be initialized by the caller in a meaningful way to get
268 * a meaningful result.
270 #define MAC_BOOLEAN(operation, composition, args...) do { \
271 struct mac_policy_conf *mpc; \
273 MAC_POLICY_LIST_BUSY(); \
274 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
275 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
276 result = result composition \
277 mpc->mpc_ops->mpo_ ## operation (args); \
279 MAC_POLICY_LIST_UNBUSY(); \
283 * MAC_PERFORM performs the designated operation by walking the policy
284 * module list and invoking that operation for each policy.
286 #define MAC_PERFORM(operation, args...) do { \
287 struct mac_policy_conf *mpc; \
289 MAC_POLICY_LIST_BUSY(); \
290 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
291 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
292 mpc->mpc_ops->mpo_ ## operation (args); \
294 MAC_POLICY_LIST_UNBUSY(); \
298 * Initialize the MAC subsystem, including appropriate SMP locks.
304 LIST_INIT(&mac_policy_list);
305 MAC_POLICY_LIST_LOCKINIT();
309 * For the purposes of modules that want to know if they were loaded
310 * "early", set the mac_late flag once we've processed modules either
311 * linked into the kernel, or loaded before the kernel startup.
321 * Allow MAC policy modules to register during boot, etc.
324 mac_policy_modevent(module_t mod, int type, void *data)
326 struct mac_policy_conf *mpc;
330 mpc = (struct mac_policy_conf *) data;
334 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
336 printf("mac_policy_modevent: can't load %s policy "
337 "after booting\n", mpc->mpc_name);
341 error = mac_policy_register(mpc);
344 /* Don't unregister the module if it was never registered. */
345 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
347 error = mac_policy_unregister(mpc);
359 mac_policy_register(struct mac_policy_conf *mpc)
361 struct mac_policy_conf *tmpc;
362 struct mac_policy_ops *ops;
363 struct mac_policy_op_entry *mpe;
366 MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC,
368 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
369 switch (mpe->mpe_constant) {
372 * Doesn't actually happen, but this allows checking
373 * that all enumerated values are handled.
377 mpc->mpc_ops->mpo_destroy =
381 mpc->mpc_ops->mpo_init =
385 mpc->mpc_ops->mpo_syscall =
388 case MAC_INIT_BPFDESC:
389 mpc->mpc_ops->mpo_init_bpfdesc =
393 mpc->mpc_ops->mpo_init_cred =
396 case MAC_INIT_DEVFSDIRENT:
397 mpc->mpc_ops->mpo_init_devfsdirent =
401 mpc->mpc_ops->mpo_init_ifnet =
405 mpc->mpc_ops->mpo_init_ipq =
409 mpc->mpc_ops->mpo_init_mbuf =
413 mpc->mpc_ops->mpo_init_mount =
417 mpc->mpc_ops->mpo_init_pipe =
420 case MAC_INIT_SOCKET:
421 mpc->mpc_ops->mpo_init_socket =
425 mpc->mpc_ops->mpo_init_temp =
429 mpc->mpc_ops->mpo_init_vnode =
432 case MAC_DESTROY_BPFDESC:
433 mpc->mpc_ops->mpo_destroy_bpfdesc =
436 case MAC_DESTROY_CRED:
437 mpc->mpc_ops->mpo_destroy_cred =
440 case MAC_DESTROY_DEVFSDIRENT:
441 mpc->mpc_ops->mpo_destroy_devfsdirent =
444 case MAC_DESTROY_IFNET:
445 mpc->mpc_ops->mpo_destroy_ifnet =
448 case MAC_DESTROY_IPQ:
449 mpc->mpc_ops->mpo_destroy_ipq =
452 case MAC_DESTROY_MBUF:
453 mpc->mpc_ops->mpo_destroy_mbuf =
456 case MAC_DESTROY_MOUNT:
457 mpc->mpc_ops->mpo_destroy_mount =
460 case MAC_DESTROY_PIPE:
461 mpc->mpc_ops->mpo_destroy_pipe =
464 case MAC_DESTROY_SOCKET:
465 mpc->mpc_ops->mpo_destroy_socket =
468 case MAC_DESTROY_TEMP:
469 mpc->mpc_ops->mpo_destroy_temp =
472 case MAC_DESTROY_VNODE:
473 mpc->mpc_ops->mpo_destroy_vnode =
476 case MAC_EXTERNALIZE:
477 mpc->mpc_ops->mpo_externalize =
480 case MAC_INTERNALIZE:
481 mpc->mpc_ops->mpo_internalize =
484 case MAC_CREATE_DEVFS_DEVICE:
485 mpc->mpc_ops->mpo_create_devfs_device =
488 case MAC_CREATE_DEVFS_DIRECTORY:
489 mpc->mpc_ops->mpo_create_devfs_directory =
492 case MAC_CREATE_DEVFS_VNODE:
493 mpc->mpc_ops->mpo_create_devfs_vnode =
496 case MAC_STDCREATEVNODE_EA:
497 mpc->mpc_ops->mpo_stdcreatevnode_ea =
500 case MAC_CREATE_VNODE:
501 mpc->mpc_ops->mpo_create_vnode =
504 case MAC_CREATE_MOUNT:
505 mpc->mpc_ops->mpo_create_mount =
508 case MAC_CREATE_ROOT_MOUNT:
509 mpc->mpc_ops->mpo_create_root_mount =
512 case MAC_RELABEL_VNODE:
513 mpc->mpc_ops->mpo_relabel_vnode =
516 case MAC_UPDATE_DEVFSDIRENT:
517 mpc->mpc_ops->mpo_update_devfsdirent =
520 case MAC_UPDATE_PROCFSVNODE:
521 mpc->mpc_ops->mpo_update_procfsvnode =
524 case MAC_UPDATE_VNODE_FROM_EXTATTR:
525 mpc->mpc_ops->mpo_update_vnode_from_extattr =
528 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
529 mpc->mpc_ops->mpo_update_vnode_from_externalized =
532 case MAC_UPDATE_VNODE_FROM_MOUNT:
533 mpc->mpc_ops->mpo_update_vnode_from_mount =
536 case MAC_CREATE_MBUF_FROM_SOCKET:
537 mpc->mpc_ops->mpo_create_mbuf_from_socket =
540 case MAC_CREATE_PIPE:
541 mpc->mpc_ops->mpo_create_pipe =
544 case MAC_CREATE_SOCKET:
545 mpc->mpc_ops->mpo_create_socket =
548 case MAC_CREATE_SOCKET_FROM_SOCKET:
549 mpc->mpc_ops->mpo_create_socket_from_socket =
552 case MAC_RELABEL_PIPE:
553 mpc->mpc_ops->mpo_relabel_pipe =
556 case MAC_RELABEL_SOCKET:
557 mpc->mpc_ops->mpo_relabel_socket =
560 case MAC_SET_SOCKET_PEER_FROM_MBUF:
561 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
564 case MAC_SET_SOCKET_PEER_FROM_SOCKET:
565 mpc->mpc_ops->mpo_set_socket_peer_from_socket =
568 case MAC_CREATE_BPFDESC:
569 mpc->mpc_ops->mpo_create_bpfdesc =
572 case MAC_CREATE_DATAGRAM_FROM_IPQ:
573 mpc->mpc_ops->mpo_create_datagram_from_ipq =
576 case MAC_CREATE_FRAGMENT:
577 mpc->mpc_ops->mpo_create_fragment =
580 case MAC_CREATE_IFNET:
581 mpc->mpc_ops->mpo_create_ifnet =
585 mpc->mpc_ops->mpo_create_ipq =
588 case MAC_CREATE_MBUF_FROM_MBUF:
589 mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
592 case MAC_CREATE_MBUF_LINKLAYER:
593 mpc->mpc_ops->mpo_create_mbuf_linklayer =
596 case MAC_CREATE_MBUF_FROM_BPFDESC:
597 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
600 case MAC_CREATE_MBUF_FROM_IFNET:
601 mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
604 case MAC_CREATE_MBUF_MULTICAST_ENCAP:
605 mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
608 case MAC_CREATE_MBUF_NETLAYER:
609 mpc->mpc_ops->mpo_create_mbuf_netlayer =
612 case MAC_FRAGMENT_MATCH:
613 mpc->mpc_ops->mpo_fragment_match =
616 case MAC_RELABEL_IFNET:
617 mpc->mpc_ops->mpo_relabel_ifnet =
621 mpc->mpc_ops->mpo_update_ipq =
624 case MAC_CREATE_CRED:
625 mpc->mpc_ops->mpo_create_cred =
628 case MAC_EXECVE_TRANSITION:
629 mpc->mpc_ops->mpo_execve_transition =
632 case MAC_EXECVE_WILL_TRANSITION:
633 mpc->mpc_ops->mpo_execve_will_transition =
636 case MAC_CREATE_PROC0:
637 mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function;
639 case MAC_CREATE_PROC1:
640 mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function;
642 case MAC_RELABEL_CRED:
643 mpc->mpc_ops->mpo_relabel_cred =
646 case MAC_CHECK_BPFDESC_RECEIVE:
647 mpc->mpc_ops->mpo_check_bpfdesc_receive =
650 case MAC_CHECK_CRED_RELABEL:
651 mpc->mpc_ops->mpo_check_cred_relabel =
654 case MAC_CHECK_CRED_VISIBLE:
655 mpc->mpc_ops->mpo_check_cred_visible =
658 case MAC_CHECK_IFNET_RELABEL:
659 mpc->mpc_ops->mpo_check_ifnet_relabel =
662 case MAC_CHECK_IFNET_TRANSMIT:
663 mpc->mpc_ops->mpo_check_ifnet_transmit =
666 case MAC_CHECK_MOUNT_STAT:
667 mpc->mpc_ops->mpo_check_mount_stat =
670 case MAC_CHECK_PIPE_IOCTL:
671 mpc->mpc_ops->mpo_check_pipe_ioctl =
674 case MAC_CHECK_PIPE_POLL:
675 mpc->mpc_ops->mpo_check_pipe_poll =
678 case MAC_CHECK_PIPE_READ:
679 mpc->mpc_ops->mpo_check_pipe_read =
682 case MAC_CHECK_PIPE_RELABEL:
683 mpc->mpc_ops->mpo_check_pipe_relabel =
686 case MAC_CHECK_PIPE_STAT:
687 mpc->mpc_ops->mpo_check_pipe_stat =
690 case MAC_CHECK_PIPE_WRITE:
691 mpc->mpc_ops->mpo_check_pipe_write =
694 case MAC_CHECK_PROC_DEBUG:
695 mpc->mpc_ops->mpo_check_proc_debug =
698 case MAC_CHECK_PROC_SCHED:
699 mpc->mpc_ops->mpo_check_proc_sched =
702 case MAC_CHECK_PROC_SIGNAL:
703 mpc->mpc_ops->mpo_check_proc_signal =
706 case MAC_CHECK_SOCKET_BIND:
707 mpc->mpc_ops->mpo_check_socket_bind =
710 case MAC_CHECK_SOCKET_CONNECT:
711 mpc->mpc_ops->mpo_check_socket_connect =
714 case MAC_CHECK_SOCKET_DELIVER:
715 mpc->mpc_ops->mpo_check_socket_deliver =
718 case MAC_CHECK_SOCKET_LISTEN:
719 mpc->mpc_ops->mpo_check_socket_listen =
722 case MAC_CHECK_SOCKET_RELABEL:
723 mpc->mpc_ops->mpo_check_socket_relabel =
726 case MAC_CHECK_SOCKET_VISIBLE:
727 mpc->mpc_ops->mpo_check_socket_visible =
730 case MAC_CHECK_VNODE_ACCESS:
731 mpc->mpc_ops->mpo_check_vnode_access =
734 case MAC_CHECK_VNODE_CHDIR:
735 mpc->mpc_ops->mpo_check_vnode_chdir =
738 case MAC_CHECK_VNODE_CHROOT:
739 mpc->mpc_ops->mpo_check_vnode_chroot =
742 case MAC_CHECK_VNODE_CREATE:
743 mpc->mpc_ops->mpo_check_vnode_create =
746 case MAC_CHECK_VNODE_DELETE:
747 mpc->mpc_ops->mpo_check_vnode_delete =
750 case MAC_CHECK_VNODE_DELETEACL:
751 mpc->mpc_ops->mpo_check_vnode_deleteacl =
754 case MAC_CHECK_VNODE_EXEC:
755 mpc->mpc_ops->mpo_check_vnode_exec =
758 case MAC_CHECK_VNODE_GETACL:
759 mpc->mpc_ops->mpo_check_vnode_getacl =
762 case MAC_CHECK_VNODE_GETEXTATTR:
763 mpc->mpc_ops->mpo_check_vnode_getextattr =
766 case MAC_CHECK_VNODE_LOOKUP:
767 mpc->mpc_ops->mpo_check_vnode_lookup =
770 case MAC_CHECK_VNODE_MMAP_PERMS:
771 mpc->mpc_ops->mpo_check_vnode_mmap_perms =
774 case MAC_CHECK_VNODE_OPEN:
775 mpc->mpc_ops->mpo_check_vnode_open =
778 case MAC_CHECK_VNODE_POLL:
779 mpc->mpc_ops->mpo_check_vnode_poll =
782 case MAC_CHECK_VNODE_READ:
783 mpc->mpc_ops->mpo_check_vnode_read =
786 case MAC_CHECK_VNODE_READDIR:
787 mpc->mpc_ops->mpo_check_vnode_readdir =
790 case MAC_CHECK_VNODE_READLINK:
791 mpc->mpc_ops->mpo_check_vnode_readlink =
794 case MAC_CHECK_VNODE_RELABEL:
795 mpc->mpc_ops->mpo_check_vnode_relabel =
798 case MAC_CHECK_VNODE_RENAME_FROM:
799 mpc->mpc_ops->mpo_check_vnode_rename_from =
802 case MAC_CHECK_VNODE_RENAME_TO:
803 mpc->mpc_ops->mpo_check_vnode_rename_to =
806 case MAC_CHECK_VNODE_REVOKE:
807 mpc->mpc_ops->mpo_check_vnode_revoke =
810 case MAC_CHECK_VNODE_SETACL:
811 mpc->mpc_ops->mpo_check_vnode_setacl =
814 case MAC_CHECK_VNODE_SETEXTATTR:
815 mpc->mpc_ops->mpo_check_vnode_setextattr =
818 case MAC_CHECK_VNODE_SETFLAGS:
819 mpc->mpc_ops->mpo_check_vnode_setflags =
822 case MAC_CHECK_VNODE_SETMODE:
823 mpc->mpc_ops->mpo_check_vnode_setmode =
826 case MAC_CHECK_VNODE_SETOWNER:
827 mpc->mpc_ops->mpo_check_vnode_setowner =
830 case MAC_CHECK_VNODE_SETUTIMES:
831 mpc->mpc_ops->mpo_check_vnode_setutimes =
834 case MAC_CHECK_VNODE_STAT:
835 mpc->mpc_ops->mpo_check_vnode_stat =
838 case MAC_CHECK_VNODE_WRITE:
839 mpc->mpc_ops->mpo_check_vnode_write =
844 printf("MAC policy `%s': unknown operation %d\n",
845 mpc->mpc_name, mpe->mpe_constant);
850 MAC_POLICY_LIST_LOCK();
851 if (mac_policy_list_busy > 0) {
852 MAC_POLICY_LIST_UNLOCK();
853 FREE(mpc->mpc_ops, M_MACOPVEC);
857 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
858 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
859 MAC_POLICY_LIST_UNLOCK();
860 FREE(mpc->mpc_ops, M_MACOPVEC);
865 if (mpc->mpc_field_off != NULL) {
866 slot = ffs(mac_policy_offsets_free);
868 MAC_POLICY_LIST_UNLOCK();
869 FREE(mpc->mpc_ops, M_MACOPVEC);
874 mac_policy_offsets_free &= ~(1 << slot);
875 *mpc->mpc_field_off = slot;
877 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
878 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
880 /* Per-policy initialization. */
881 if (mpc->mpc_ops->mpo_init != NULL)
882 (*(mpc->mpc_ops->mpo_init))(mpc);
883 MAC_POLICY_LIST_UNLOCK();
885 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
892 mac_policy_unregister(struct mac_policy_conf *mpc)
897 * Don't allow unloading modules with private data.
899 if (mpc->mpc_field_off != NULL)
902 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0)
904 MAC_POLICY_LIST_LOCK();
905 if (mac_policy_list_busy > 0) {
906 MAC_POLICY_LIST_UNLOCK();
909 if (mpc->mpc_ops->mpo_destroy != NULL)
910 (*(mpc->mpc_ops->mpo_destroy))(mpc);
912 LIST_REMOVE(mpc, mpc_list);
913 MAC_POLICY_LIST_UNLOCK();
915 FREE(mpc->mpc_ops, M_MACOPVEC);
918 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
925 * Define an error value precedence, and given two arguments, selects the
926 * value with the higher precedence.
929 error_select(int error1, int error2)
932 /* Certain decision-making errors take top priority. */
933 if (error1 == EDEADLK || error2 == EDEADLK)
936 /* Invalid arguments should be reported where possible. */
937 if (error1 == EINVAL || error2 == EINVAL)
940 /* Precedence goes to "visibility", with both process and file. */
941 if (error1 == ESRCH || error2 == ESRCH)
944 if (error1 == ENOENT || error2 == ENOENT)
947 /* Precedence goes to DAC/MAC protections. */
948 if (error1 == EACCES || error2 == EACCES)
951 /* Precedence goes to privilege. */
952 if (error1 == EPERM || error2 == EPERM)
955 /* Precedence goes to error over success; otherwise, arbitrary. */
962 mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
965 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
969 mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
972 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
976 * Support callout for policies that manage their own externalization
977 * using extended attributes.
980 mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
984 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
991 * Given an externalized mac label, internalize it and stamp it on a
995 mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac)
999 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
1005 * Call out to individual policies to update the label in a vnode from
1009 mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
1012 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
1015 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
1016 if (mac_cache_fslabel_in_vnode)
1017 vp->v_vflag |= VV_CACHEDLABEL;
1021 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
1022 * to store label data. Can be referenced by filesystems supporting
1023 * extended attributes.
1026 vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
1028 struct vnode *vp = ap->a_vp;
1032 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
1035 * Call out to external policies first. Order doesn't really
1036 * matter, as long as failure of one assures failure of all.
1038 error = mac_update_vnode_from_extattr(vp, vp->v_mount);
1042 buflen = sizeof(extmac);
1043 error = vn_extattr_get(vp, IO_NODELOCKED,
1044 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
1045 (char *)&extmac, curthread);
1053 * Use the label from the mount point.
1055 mac_update_vnode_from_mount(vp, vp->v_mount);
1060 /* Fail horribly. */
1064 if (buflen != sizeof(extmac))
1065 error = EPERM; /* Fail very closed. */
1067 error = mac_update_vnode_from_externalized(vp, &extmac);
1069 vp->v_vflag |= VV_CACHEDLABEL;
1073 printf("Corrupted label on %s",
1074 vp->v_mount->mnt_stat.f_mntonname);
1075 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
1076 printf(" inum %ld", va.va_fileid);
1077 if (mac_debug_label_fallback) {
1078 printf(", falling back.\n");
1079 mac_update_vnode_from_mount(vp, vp->v_mount);
1091 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
1092 * the labeling activity outselves. Filesystems should be careful not
1093 * to change their minds regarding whether they support vop_refreshlabel()
1094 * for a vnode or not. Don't cache the vnode here, allow the file
1095 * system code to determine if it's safe to cache. If we update from
1096 * the mount, don't cache since a change to the mount label should affect
1100 vn_refreshlabel(struct vnode *vp, struct ucred *cred)
1104 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
1106 if (vp->v_mount == NULL) {
1108 Eventually, we probably want to special-case refreshing
1109 of deadfs vnodes, and if there's a lock-free race somewhere,
1110 that case might be handled here.
1112 mac_update_vnode_deadfs(vp);
1115 /* printf("vn_refreshlabel: null v_mount\n"); */
1116 if (vp->v_tag != VT_NON)
1118 "vn_refreshlabel: null v_mount with non-VT_NON\n");
1122 if (vp->v_vflag & VV_CACHEDLABEL) {
1123 mac_vnode_label_cache_hits++;
1126 mac_vnode_label_cache_misses++;
1128 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1129 mac_update_vnode_from_mount(vp, vp->v_mount);
1133 error = VOP_REFRESHLABEL(vp, cred, curthread);
1137 * If labels are not supported on this vnode, fall back to
1138 * the label in the mount and propagate it to the vnode.
1139 * There should probably be some sort of policy/flag/decision
1142 mac_update_vnode_from_mount(vp, vp->v_mount);
1150 * Helper function for file systems using the vop_std*_ea() calls. This
1151 * function must be called after EA service is available for the vnode,
1152 * but before it's hooked up to the namespace so that the node persists
1153 * if there's a crash, or before it can be accessed. On successful
1154 * commit of the label to disk (etc), do cache the label.
1157 vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
1162 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
1163 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1164 mac_update_vnode_from_mount(tvp, tvp->v_mount);
1166 error = vn_refreshlabel(dvp, cred);
1171 * Stick the label in the vnode. Then try to write to
1172 * disk. If we fail, return a failure to abort the
1173 * create operation. Really, this failure shouldn't
1174 * happen except in fairly unusual circumstances (out
1177 mac_create_vnode(cred, dvp, tvp);
1179 error = mac_stdcreatevnode_ea(tvp);
1184 * XXX: Eventually this will go away and all policies will
1185 * directly manage their extended attributes.
1187 error = mac_externalize(&tvp->v_label, &extmac);
1191 error = vn_extattr_set(tvp, IO_NODELOCKED,
1192 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
1193 sizeof(extmac), (char *)&extmac, curthread);
1195 tvp->v_vflag |= VV_CACHEDLABEL;
1199 * In theory, we could have fall-back behavior here.
1200 * It would probably be incorrect.
1211 mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
1215 ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
1217 error = vn_refreshlabel(vp, old);
1219 printf("mac_execve_transition: vn_refreshlabel returned %d\n",
1221 printf("mac_execve_transition: using old vnode label\n");
1224 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
1228 mac_execve_will_transition(struct ucred *old, struct vnode *vp)
1232 error = vn_refreshlabel(vp, old);
1237 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
1243 mac_init_label(struct label *label)
1246 bzero(label, sizeof(*label));
1247 label->l_flags = MAC_FLAG_INITIALIZED;
1251 mac_init_structmac(struct mac *mac)
1254 bzero(mac, sizeof(*mac));
1255 mac->m_macflags = MAC_FLAG_INITIALIZED;
1259 mac_destroy_label(struct label *label)
1262 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
1263 ("destroying uninitialized label"));
1265 bzero(label, sizeof(*label));
1266 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
1270 mac_init_mbuf(struct mbuf *m, int how)
1272 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
1274 /* "how" is one of M_(TRY|DONT)WAIT */
1275 mac_init_label(&m->m_pkthdr.label);
1276 MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
1278 atomic_add_int(&nmacmbufs, 1);
1284 mac_destroy_mbuf(struct mbuf *m)
1287 MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
1288 mac_destroy_label(&m->m_pkthdr.label);
1290 atomic_subtract_int(&nmacmbufs, 1);
1295 mac_init_cred(struct ucred *cr)
1298 mac_init_label(&cr->cr_label);
1299 MAC_PERFORM(init_cred, cr, &cr->cr_label);
1301 atomic_add_int(&nmaccreds, 1);
1306 mac_destroy_cred(struct ucred *cr)
1309 MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
1310 mac_destroy_label(&cr->cr_label);
1312 atomic_subtract_int(&nmaccreds, 1);
1317 mac_init_ifnet(struct ifnet *ifp)
1320 mac_init_label(&ifp->if_label);
1321 MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
1323 atomic_add_int(&nmacifnets, 1);
1328 mac_destroy_ifnet(struct ifnet *ifp)
1331 MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
1332 mac_destroy_label(&ifp->if_label);
1334 atomic_subtract_int(&nmacifnets, 1);
1339 mac_init_ipq(struct ipq *ipq)
1342 mac_init_label(&ipq->ipq_label);
1343 MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
1345 atomic_add_int(&nmacipqs, 1);
1350 mac_destroy_ipq(struct ipq *ipq)
1353 MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
1354 mac_destroy_label(&ipq->ipq_label);
1356 atomic_subtract_int(&nmacipqs, 1);
1361 mac_init_socket(struct socket *socket)
1364 mac_init_label(&socket->so_label);
1365 mac_init_label(&socket->so_peerlabel);
1366 MAC_PERFORM(init_socket, socket, &socket->so_label,
1367 &socket->so_peerlabel);
1369 atomic_add_int(&nmacsockets, 1);
1374 mac_destroy_socket(struct socket *socket)
1377 MAC_PERFORM(destroy_socket, socket, &socket->so_label,
1378 &socket->so_peerlabel);
1379 mac_destroy_label(&socket->so_label);
1380 mac_destroy_label(&socket->so_peerlabel);
1382 atomic_subtract_int(&nmacsockets, 1);
1387 mac_init_pipe(struct pipe *pipe)
1389 struct label *label;
1391 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
1392 mac_init_label(label);
1393 pipe->pipe_label = label;
1394 pipe->pipe_peer->pipe_label = label;
1395 MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
1397 atomic_add_int(&nmacpipes, 1);
1402 mac_destroy_pipe(struct pipe *pipe)
1405 MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
1406 mac_destroy_label(pipe->pipe_label);
1407 free(pipe->pipe_label, M_MACPIPELABEL);
1409 atomic_subtract_int(&nmacpipes, 1);
1414 mac_init_bpfdesc(struct bpf_d *bpf_d)
1417 mac_init_label(&bpf_d->bd_label);
1418 MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
1420 atomic_add_int(&nmacbpfdescs, 1);
1425 mac_destroy_bpfdesc(struct bpf_d *bpf_d)
1428 MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
1429 mac_destroy_label(&bpf_d->bd_label);
1431 atomic_subtract_int(&nmacbpfdescs, 1);
1436 mac_init_mount(struct mount *mp)
1439 mac_init_label(&mp->mnt_mntlabel);
1440 mac_init_label(&mp->mnt_fslabel);
1441 MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
1443 atomic_add_int(&nmacmounts, 1);
1448 mac_destroy_mount(struct mount *mp)
1451 MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
1452 mac_destroy_label(&mp->mnt_fslabel);
1453 mac_destroy_label(&mp->mnt_mntlabel);
1455 atomic_subtract_int(&nmacmounts, 1);
1460 mac_init_temp(struct label *label)
1463 mac_init_label(label);
1464 MAC_PERFORM(init_temp, label);
1466 atomic_add_int(&nmactemp, 1);
1471 mac_destroy_temp(struct label *label)
1474 MAC_PERFORM(destroy_temp, label);
1475 mac_destroy_label(label);
1477 atomic_subtract_int(&nmactemp, 1);
1482 mac_init_vnode(struct vnode *vp)
1485 mac_init_label(&vp->v_label);
1486 MAC_PERFORM(init_vnode, vp, &vp->v_label);
1488 atomic_add_int(&nmacvnodes, 1);
1493 mac_destroy_vnode(struct vnode *vp)
1496 MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
1497 mac_destroy_label(&vp->v_label);
1499 atomic_subtract_int(&nmacvnodes, 1);
1504 mac_init_devfsdirent(struct devfs_dirent *de)
1507 mac_init_label(&de->de_label);
1508 MAC_PERFORM(init_devfsdirent, de, &de->de_label);
1510 atomic_add_int(&nmacdevfsdirents, 1);
1515 mac_destroy_devfsdirent(struct devfs_dirent *de)
1518 MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
1519 mac_destroy_label(&de->de_label);
1521 atomic_subtract_int(&nmacdevfsdirents, 1);
1526 mac_externalize(struct label *label, struct mac *mac)
1530 mac_init_structmac(mac);
1531 MAC_CHECK(externalize, label, mac);
1537 mac_internalize(struct label *label, struct mac *mac)
1541 mac_init_temp(label);
1542 MAC_CHECK(internalize, label, mac);
1544 mac_destroy_temp(label);
1550 * Initialize MAC label for the first kernel process, from which other
1551 * kernel processes and threads are spawned.
1554 mac_create_proc0(struct ucred *cred)
1557 MAC_PERFORM(create_proc0, cred);
1561 * Initialize MAC label for the first userland process, from which other
1562 * userland processes and threads are spawned.
1565 mac_create_proc1(struct ucred *cred)
1568 MAC_PERFORM(create_proc1, cred);
1572 * When a new process is created, its label must be initialized. Generally,
1573 * this involves inheritence from the parent process, modulo possible
1574 * deltas. This function allows that processing to take place.
1577 mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
1580 MAC_PERFORM(create_cred, parent_cred, child_cred);
1584 mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags)
1588 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
1590 if (!mac_enforce_fs)
1593 error = vn_refreshlabel(vp, cred);
1597 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
1602 mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
1606 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
1608 if (!mac_enforce_fs)
1611 error = vn_refreshlabel(dvp, cred);
1615 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
1620 mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
1624 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
1626 if (!mac_enforce_fs)
1629 error = vn_refreshlabel(dvp, cred);
1633 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
1638 mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1639 struct componentname *cnp, struct vattr *vap)
1643 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
1645 if (!mac_enforce_fs)
1648 error = vn_refreshlabel(dvp, cred);
1652 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
1657 mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
1658 struct componentname *cnp)
1662 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
1663 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
1665 if (!mac_enforce_fs)
1668 error = vn_refreshlabel(dvp, cred);
1671 error = vn_refreshlabel(vp, cred);
1675 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
1681 mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1686 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
1688 if (!mac_enforce_fs)
1691 error = vn_refreshlabel(vp, cred);
1695 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
1700 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
1704 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
1706 if (!mac_enforce_process && !mac_enforce_fs)
1709 error = vn_refreshlabel(vp, cred);
1712 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
1718 mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
1722 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
1724 if (!mac_enforce_fs)
1727 error = vn_refreshlabel(vp, cred);
1731 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
1736 mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1737 int attrnamespace, const char *name, struct uio *uio)
1741 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
1743 if (!mac_enforce_fs)
1746 error = vn_refreshlabel(vp, cred);
1750 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
1751 attrnamespace, name, uio);
1756 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1757 struct componentname *cnp)
1761 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
1763 if (!mac_enforce_fs)
1766 error = vn_refreshlabel(dvp, cred);
1770 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
1775 mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
1777 vm_prot_t result = VM_PROT_ALL;
1780 * This should be some sort of MAC_BITWISE, maybe :)
1782 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms");
1783 MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label,
1789 mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
1793 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
1795 if (!mac_enforce_fs)
1798 error = vn_refreshlabel(vp, cred);
1802 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
1807 mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
1812 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
1814 if (!mac_enforce_fs)
1817 error = vn_refreshlabel(vp, active_cred);
1821 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
1828 mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
1833 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
1835 if (!mac_enforce_fs)
1838 error = vn_refreshlabel(vp, active_cred);
1842 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
1849 mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
1853 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
1855 if (!mac_enforce_fs)
1858 error = vn_refreshlabel(dvp, cred);
1862 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
1867 mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
1871 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
1873 if (!mac_enforce_fs)
1876 error = vn_refreshlabel(vp, cred);
1880 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
1885 mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
1886 struct label *newlabel)
1890 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
1892 error = vn_refreshlabel(vp, cred);
1896 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
1902 mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
1903 struct vnode *vp, struct componentname *cnp)
1907 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
1908 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
1910 if (!mac_enforce_fs)
1913 error = vn_refreshlabel(dvp, cred);
1916 error = vn_refreshlabel(vp, cred);
1920 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
1926 mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
1927 struct vnode *vp, int samedir, struct componentname *cnp)
1931 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
1932 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
1934 if (!mac_enforce_fs)
1937 error = vn_refreshlabel(dvp, cred);
1941 error = vn_refreshlabel(vp, cred);
1945 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
1946 vp != NULL ? &vp->v_label : NULL, samedir, cnp);
1951 mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
1955 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
1957 if (!mac_enforce_fs)
1960 error = vn_refreshlabel(vp, cred);
1964 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
1969 mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
1974 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
1976 if (!mac_enforce_fs)
1979 error = vn_refreshlabel(vp, cred);
1983 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
1988 mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
1989 int attrnamespace, const char *name, struct uio *uio)
1993 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
1995 if (!mac_enforce_fs)
1998 error = vn_refreshlabel(vp, cred);
2002 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
2003 attrnamespace, name, uio);
2008 mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
2012 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
2014 if (!mac_enforce_fs)
2017 error = vn_refreshlabel(vp, cred);
2021 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
2026 mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
2030 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
2032 if (!mac_enforce_fs)
2035 error = vn_refreshlabel(vp, cred);
2039 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
2044 mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
2049 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
2051 if (!mac_enforce_fs)
2054 error = vn_refreshlabel(vp, cred);
2058 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
2063 mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2064 struct timespec atime, struct timespec mtime)
2068 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
2070 if (!mac_enforce_fs)
2073 error = vn_refreshlabel(vp, cred);
2077 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
2083 mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2088 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
2090 if (!mac_enforce_fs)
2093 error = vn_refreshlabel(vp, active_cred);
2097 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
2103 mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
2108 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
2110 if (!mac_enforce_fs)
2113 error = vn_refreshlabel(vp, active_cred);
2117 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
2124 * When relabeling a process, call out to the policies for the maximum
2125 * permission allowed for each object type we know about in its
2126 * memory space, and revoke access (in the least surprising ways we
2127 * know) when necessary. The process lock is not held here.
2130 mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
2133 /* XXX freeze all other threads */
2135 mac_cred_mmapped_drop_perms_recurse(td, cred,
2136 &td->td_proc->p_vmspace->vm_map);
2138 /* XXX allow other threads to continue */
2141 static __inline const char *
2142 prot2str(vm_prot_t prot)
2145 switch (prot & VM_PROT_ALL) {
2148 case VM_PROT_READ | VM_PROT_WRITE:
2150 case VM_PROT_READ | VM_PROT_EXECUTE:
2152 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
2156 case VM_PROT_EXECUTE:
2158 case VM_PROT_WRITE | VM_PROT_EXECUTE:
2166 mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
2169 struct vm_map_entry *vme;
2170 vm_prot_t result, revokeperms;
2172 vm_ooffset_t offset;
2175 vm_map_lock_read(map);
2176 for (vme = map->header.next; vme != &map->header; vme = vme->next) {
2177 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
2178 mac_cred_mmapped_drop_perms_recurse(td, cred,
2179 vme->object.sub_map);
2183 * Skip over entries that obviously are not shared.
2185 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) ||
2186 !vme->max_protection)
2189 * Drill down to the deepest backing object.
2191 offset = vme->offset;
2192 object = vme->object.vm_object;
2195 while (object->backing_object != NULL) {
2196 object = object->backing_object;
2197 offset += object->backing_object_offset;
2200 * At the moment, vm_maps and objects aren't considered
2201 * by the MAC system, so only things with backing by a
2202 * normal object (read: vnodes) are checked.
2204 if (object->type != OBJT_VNODE)
2206 vp = (struct vnode *)object->handle;
2207 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2208 result = mac_check_vnode_mmap_prot(cred, vp, 0);
2209 VOP_UNLOCK(vp, 0, td);
2211 * Find out what maximum protection we may be allowing
2212 * now but a policy needs to get removed.
2214 revokeperms = vme->max_protection & ~result;
2217 printf("pid %d: revoking %s perms from %#lx:%d "
2218 "(max %s/cur %s)\n", td->td_proc->p_pid,
2219 prot2str(revokeperms), vme->start, vme->end - vme->start,
2220 prot2str(vme->max_protection), prot2str(vme->protection));
2221 vm_map_lock_upgrade(map);
2223 * This is the really simple case: if a map has more
2224 * max_protection than is allowed, but it's not being
2225 * actually used (that is, the current protection is
2226 * still allowed), we can just wipe it out and do
2229 if ((vme->protection & revokeperms) == 0) {
2230 vme->max_protection -= revokeperms;
2232 if (revokeperms & VM_PROT_WRITE) {
2234 * In the more complicated case, flush out all
2235 * pending changes to the object then turn it
2238 vm_object_reference(object);
2239 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2240 vm_object_page_clean(object,
2242 OFF_TO_IDX(offset + vme->end - vme->start +
2245 VOP_UNLOCK(vp, 0, td);
2246 vm_object_deallocate(object);
2248 * Why bother if there's no read permissions
2249 * anymore? For the rest, we need to leave
2250 * the write permissions on for COW, or
2251 * remove them entirely if configured to.
2253 if (!mac_mmap_revocation_via_cow) {
2254 vme->max_protection &= ~VM_PROT_WRITE;
2255 vme->protection &= ~VM_PROT_WRITE;
2256 } if ((revokeperms & VM_PROT_READ) == 0)
2257 vme->eflags |= MAP_ENTRY_COW |
2258 MAP_ENTRY_NEEDS_COPY;
2260 if (revokeperms & VM_PROT_EXECUTE) {
2261 vme->max_protection &= ~VM_PROT_EXECUTE;
2262 vme->protection &= ~VM_PROT_EXECUTE;
2264 if (revokeperms & VM_PROT_READ) {
2265 vme->max_protection = 0;
2266 vme->protection = 0;
2268 pmap_protect(map->pmap, vme->start, vme->end,
2269 vme->protection & ~revokeperms);
2270 vm_map_simplify_entry(map, vme);
2272 vm_map_lock_downgrade(map);
2274 vm_map_unlock_read(map);
2278 * When the subject's label changes, it may require revocation of privilege
2279 * to mapped objects. This can't be done on-the-fly later with a unified
2283 mac_relabel_cred(struct ucred *cred, struct label *newlabel)
2286 MAC_PERFORM(relabel_cred, cred, newlabel);
2290 mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
2293 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
2297 mac_create_ifnet(struct ifnet *ifnet)
2300 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
2304 mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
2307 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
2311 mac_create_socket(struct ucred *cred, struct socket *socket)
2314 MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
2318 mac_create_pipe(struct ucred *cred, struct pipe *pipe)
2321 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label);
2325 mac_create_socket_from_socket(struct socket *oldsocket,
2326 struct socket *newsocket)
2329 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
2330 newsocket, &newsocket->so_label);
2334 mac_relabel_socket(struct ucred *cred, struct socket *socket,
2335 struct label *newlabel)
2338 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
2342 mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel)
2345 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel);
2349 mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
2352 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label,
2353 socket, &socket->so_peerlabel);
2357 mac_set_socket_peer_from_socket(struct socket *oldsocket,
2358 struct socket *newsocket)
2361 MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
2362 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
2366 mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
2369 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
2370 datagram, &datagram->m_pkthdr.label);
2374 mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
2377 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label,
2378 fragment, &fragment->m_pkthdr.label);
2382 mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
2385 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2390 mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2393 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label,
2394 newmbuf, &newmbuf->m_pkthdr.label);
2398 mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
2401 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
2402 &mbuf->m_pkthdr.label);
2406 mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
2409 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
2410 &mbuf->m_pkthdr.label);
2414 mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
2417 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
2418 &mbuf->m_pkthdr.label);
2422 mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
2423 struct mbuf *newmbuf)
2426 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf,
2427 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf,
2428 &newmbuf->m_pkthdr.label);
2432 mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2435 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label,
2436 newmbuf, &newmbuf->m_pkthdr.label);
2440 mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
2445 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label,
2446 ipq, &ipq->ipq_label);
2452 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
2455 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2460 mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
2463 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
2464 &mbuf->m_pkthdr.label);
2468 mac_create_mount(struct ucred *cred, struct mount *mp)
2471 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
2476 mac_create_root_mount(struct ucred *cred, struct mount *mp)
2479 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
2484 mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
2488 if (!mac_enforce_network)
2491 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
2498 mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
2502 MAC_CHECK(check_cred_relabel, cred, newlabel);
2508 mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
2512 if (!mac_enforce_process)
2515 MAC_CHECK(check_cred_visible, u1, u2);
2521 mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
2525 if (!mac_enforce_network)
2528 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
2529 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
2530 printf("%s%d: not initialized\n", ifnet->if_name,
2533 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
2534 &mbuf->m_pkthdr.label);
2540 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
2544 if (!mac_enforce_fs)
2547 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
2553 mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
2558 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data);
2564 mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
2568 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
2574 mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
2578 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
2584 mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
2585 struct label *newlabel)
2589 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel);
2595 mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
2599 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
2605 mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
2609 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
2615 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
2619 PROC_LOCK_ASSERT(proc, MA_OWNED);
2621 if (!mac_enforce_process)
2624 MAC_CHECK(check_proc_debug, cred, proc);
2630 mac_check_proc_sched(struct ucred *cred, struct proc *proc)
2634 PROC_LOCK_ASSERT(proc, MA_OWNED);
2636 if (!mac_enforce_process)
2639 MAC_CHECK(check_proc_sched, cred, proc);
2645 mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
2649 PROC_LOCK_ASSERT(proc, MA_OWNED);
2651 if (!mac_enforce_process)
2654 MAC_CHECK(check_proc_signal, cred, proc, signum);
2660 mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
2661 struct sockaddr *sockaddr)
2665 if (!mac_enforce_socket)
2668 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
2675 mac_check_socket_connect(struct ucred *cred, struct socket *socket,
2676 struct sockaddr *sockaddr)
2680 if (!mac_enforce_socket)
2683 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
2690 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
2694 if (!mac_enforce_socket)
2697 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
2698 &mbuf->m_pkthdr.label);
2704 mac_check_socket_listen(struct ucred *cred, struct socket *socket)
2708 if (!mac_enforce_socket)
2711 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
2716 mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
2717 struct label *newlabel)
2721 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
2728 mac_check_socket_visible(struct ucred *cred, struct socket *socket)
2732 if (!mac_enforce_socket)
2735 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
2741 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
2742 struct ifnet *ifnet)
2747 error = mac_externalize(&ifnet->if_label, &label);
2751 return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label)));
2755 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
2756 struct ifnet *ifnet)
2758 struct mac newlabel;
2759 struct label intlabel;
2762 error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel));
2766 error = mac_internalize(&intlabel, &newlabel);
2771 * XXX: Note that this is a redundant privilege check, since
2772 * policies impose this check themselves if required by the
2773 * policy. Eventually, this should go away.
2775 error = suser_cred(cred, 0);
2779 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
2784 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
2787 mac_destroy_temp(&intlabel);
2792 mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp)
2795 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label);
2799 mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
2802 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
2806 mac_stdcreatevnode_ea(struct vnode *vp)
2810 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label);
2816 mac_create_devfs_directory(char *dirname, int dirnamelen,
2817 struct devfs_dirent *de)
2820 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de,
2825 * When a new vnode is created, this call will initialize its label.
2828 mac_create_vnode(struct ucred *cred, struct vnode *parent,
2829 struct vnode *child)
2833 ASSERT_VOP_LOCKED(parent, "mac_create_vnode");
2834 ASSERT_VOP_LOCKED(child, "mac_create_vnode");
2836 error = vn_refreshlabel(parent, cred);
2838 printf("mac_create_vnode: vn_refreshlabel returned %d\n",
2840 printf("mac_create_vnode: using old vnode label\n");
2843 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child,
2848 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
2851 struct label intlabel;
2854 error = mac_internalize(&intlabel, extmac);
2858 mac_check_socket_relabel(cred, so, &intlabel);
2860 mac_destroy_temp(&intlabel);
2864 mac_relabel_socket(cred, so, &intlabel);
2866 mac_destroy_temp(&intlabel);
2871 mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label)
2875 error = mac_check_pipe_relabel(cred, pipe, label);
2879 mac_relabel_pipe(cred, pipe, label);
2885 mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
2889 return (mac_externalize(&so->so_label, extmac));
2893 mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
2897 return (mac_externalize(&so->so_peerlabel, extmac));
2901 * Implementation of VOP_SETLABEL() that relies on extended attributes
2902 * to store label data. Can be referenced by filesystems supporting
2903 * extended attributes.
2906 vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
2908 struct vnode *vp = ap->a_vp;
2909 struct label *intlabel = ap->a_label;
2913 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
2916 * XXX: Eventually call out to EA check/set calls here.
2917 * Be particularly careful to avoid race conditions,
2918 * consistency problems, and stability problems when
2919 * dealing with multiple EAs. In particular, we require
2920 * the ability to write multiple EAs on the same file in
2921 * a single transaction, which the current EA interface
2925 error = mac_externalize(intlabel, &extmac);
2929 error = vn_extattr_set(vp, IO_NODELOCKED,
2930 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
2931 sizeof(extmac), (char *)&extmac, curthread);
2935 mac_relabel_vnode(ap->a_cred, vp, intlabel);
2937 vp->v_vflag |= VV_CACHEDLABEL;
2943 vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
2947 if (vp->v_mount == NULL) {
2948 /* printf("vn_setlabel: null v_mount\n"); */
2949 if (vp->v_tag != VT_NON)
2950 printf("vn_setlabel: null v_mount with non-VT_NON\n");
2954 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
2955 return (EOPNOTSUPP);
2958 * Multi-phase commit. First check the policies to confirm the
2959 * change is OK. Then commit via the filesystem. Finally,
2960 * update the actual vnode label. Question: maybe the filesystem
2961 * should update the vnode at the end as part of VOP_SETLABEL()?
2963 error = mac_check_vnode_relabel(cred, vp, intlabel);
2968 * VADMIN provides the opportunity for the filesystem to make
2969 * decisions about who is and is not able to modify labels
2970 * and protections on files. This might not be right. We can't
2971 * assume VOP_SETLABEL() will do it, because we might implement
2972 * that as part of vop_stdsetlabel_ea().
2974 error = VOP_ACCESS(vp, VADMIN, cred, curthread);
2978 error = VOP_SETLABEL(vp, intlabel, cred, curthread);
2989 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
2994 error = mac_externalize(&td->td_ucred->cr_label, &extmac);
2996 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3005 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3007 struct ucred *newcred, *oldcred;
3010 struct label intlabel;
3013 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3017 error = mac_internalize(&intlabel, &extmac);
3025 oldcred = p->p_ucred;
3027 error = mac_check_cred_relabel(oldcred, &intlabel);
3030 mac_destroy_temp(&intlabel);
3036 crcopy(newcred, oldcred);
3037 mac_relabel_cred(newcred, &intlabel);
3038 p->p_ucred = newcred;
3041 * Grab additional reference for use while revoking mmaps, prior
3042 * to releasing the proc lock and sharing the cred.
3047 mac_cred_mmapped_drop_perms(td, newcred);
3049 crfree(newcred); /* Free revocation reference. */
3051 mac_destroy_temp(&intlabel);
3059 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3069 error = fget(td, SCARG(uap, fd), &fp);
3073 switch (fp->f_type) {
3076 vp = (struct vnode *)fp->f_data;
3078 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3079 error = vn_refreshlabel(vp, td->td_ucred);
3081 error = mac_externalize(&vp->v_label, &extmac);
3082 VOP_UNLOCK(vp, 0, td);
3085 pipe = (struct pipe *)fp->f_data;
3086 error = mac_externalize(pipe->pipe_label, &extmac);
3093 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3106 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3108 struct nameidata nd;
3113 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3114 SCARG(uap, path_p), td);
3119 error = vn_refreshlabel(nd.ni_vp, td->td_ucred);
3121 error = mac_externalize(&nd.ni_vp->v_label, &extmac);
3126 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3137 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3141 struct label intlabel;
3148 error = fget(td, SCARG(uap, fd), &fp);
3152 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3156 error = mac_internalize(&intlabel, &extmac);
3160 switch (fp->f_type) {
3163 vp = (struct vnode *)fp->f_data;
3164 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
3168 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3169 error = vn_setlabel(vp, &intlabel, td->td_ucred);
3170 VOP_UNLOCK(vp, 0, td);
3171 vn_finished_write(mp);
3172 mac_destroy_temp(&intlabel);
3175 pipe = (struct pipe *)fp->f_data;
3176 error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel);
3193 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3195 struct nameidata nd;
3197 struct label intlabel;
3203 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3207 error = mac_internalize(&intlabel, &extmac);
3211 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3212 SCARG(uap, path_p), td);
3216 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
3220 error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred);
3222 vn_finished_write(mp);
3224 mac_destroy_temp(&intlabel);
3232 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
3234 struct mac_policy_conf *mpc;
3235 char target[MAC_MAX_POLICY_NAME];
3238 error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL);
3243 MAC_POLICY_LIST_BUSY();
3244 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
3245 if (strcmp(mpc->mpc_name, target) == 0 &&
3246 mpc->mpc_ops->mpo_syscall != NULL) {
3247 error = mpc->mpc_ops->mpo_syscall(td,
3248 SCARG(uap, call), SCARG(uap, arg));
3254 MAC_POLICY_LIST_UNBUSY();
3258 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
3259 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
3264 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
3271 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3278 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3285 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3292 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3299 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3306 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
projects / FreeBSD / FreeBSD.git / blob