2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
10 * This software was developed for the FreeBSD Project in part by NAI Labs,
11 * the Security Research Division of Network Associates, Inc. under
12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
13 * CHATS research program.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The names of the authors may not be used to endorse or promote
24 * products derived from this software without specific prior written
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * Developed by the TrustedBSD Project.
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
49 #include "opt_devfs.h"
51 #include <sys/param.h>
52 #include <sys/extattr.h>
53 #include <sys/kernel.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
58 #include <sys/module.h>
60 #include <sys/systm.h>
61 #include <sys/sysproto.h>
62 #include <sys/sysent.h>
63 #include <sys/vnode.h>
64 #include <sys/mount.h>
66 #include <sys/namei.h>
67 #include <sys/socket.h>
69 #include <sys/socketvar.h>
70 #include <sys/sysctl.h>
74 #include <vm/vm_map.h>
75 #include <vm/vm_object.h>
77 #include <sys/mac_policy.h>
79 #include <fs/devfs/devfs.h>
81 #include <net/bpfdesc.h>
83 #include <net/if_var.h>
85 #include <netinet/in.h>
86 #include <netinet/ip_var.h>
91 * Declare that the kernel provides MAC support, version 1. This permits
92 * modules to refuse to be loaded if the necessary support isn't present,
93 * even if it's pre-boot.
95 MODULE_VERSION(kernel_mac_support, 1);
97 SYSCTL_DECL(_security);
99 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
100 "TrustedBSD MAC policy controls");
102 #if MAC_MAX_POLICIES > 32
103 #error "MAC_MAX_POLICIES too large"
106 static unsigned int mac_max_policies = MAC_MAX_POLICIES;
107 static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
108 SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
109 &mac_max_policies, 0, "");
111 static int mac_late = 0;
113 static int mac_enforce_fs = 1;
114 SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
115 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
116 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
118 static int mac_enforce_network = 1;
119 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
120 &mac_enforce_network, 0, "Enforce MAC policy on network packets");
121 TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
123 static int mac_enforce_pipe = 1;
124 SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
125 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
126 TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
128 static int mac_enforce_process = 1;
129 SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
130 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
131 TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
133 static int mac_enforce_socket = 1;
134 SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
135 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
136 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
138 static int mac_enforce_vm = 1;
139 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
140 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
141 TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
143 static int mac_label_size = sizeof(struct oldmac);
144 SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
145 &mac_label_size, 0, "Pre-compiled MAC label size");
147 static int mac_cache_fslabel_in_vnode = 1;
148 SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
149 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
150 TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
151 &mac_cache_fslabel_in_vnode);
153 static int mac_vnode_label_cache_hits = 0;
154 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
155 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
156 static int mac_vnode_label_cache_misses = 0;
157 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
158 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
160 static int mac_mmap_revocation = 1;
161 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
162 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
164 static int mac_mmap_revocation_via_cow = 0;
165 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
166 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
167 "copy-on-write semantics, or by removing all write access");
170 SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
171 "TrustedBSD MAC debug info");
173 static int mac_debug_label_fallback = 0;
174 SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
175 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
176 "when label is corrupted.");
177 TUNABLE_INT("security.mac.debug_label_fallback",
178 &mac_debug_label_fallback);
180 SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
181 "TrustedBSD MAC object counters");
183 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
184 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
187 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
188 &nmacmbufs, 0, "number of mbufs in use");
189 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
190 &nmaccreds, 0, "number of ucreds in use");
191 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
192 &nmacifnets, 0, "number of ifnets in use");
193 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
194 &nmacipqs, 0, "number of ipqs in use");
195 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
196 &nmacbpfdescs, 0, "number of bpfdescs in use");
197 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
198 &nmacsockets, 0, "number of sockets in use");
199 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
200 &nmacpipes, 0, "number of pipes in use");
201 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
202 &nmacmounts, 0, "number of mounts in use");
203 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
204 &nmactemp, 0, "number of temporary labels in use");
205 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
206 &nmacvnodes, 0, "number of vnodes in use");
207 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
208 &nmacdevfsdirents, 0, "number of devfs dirents inuse");
211 static int error_select(int error1, int error2);
212 static int mac_externalize_vnode_oldmac(struct label *label,
213 struct oldmac *extmac);
214 static int mac_policy_register(struct mac_policy_conf *mpc);
215 static int mac_policy_unregister(struct mac_policy_conf *mpc);
217 static int mac_stdcreatevnode_ea(struct vnode *vp);
218 static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
219 struct vnode *vp, int *prot);
220 static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
221 struct ucred *cred, struct vm_map *map);
223 static void mac_destroy_socket_label(struct label *label);
225 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
226 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
227 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
230 * mac_policy_list_lock protects the consistency of 'mac_policy_list',
231 * the linked list of attached policy modules. Read-only consumers of
232 * the list must acquire a shared lock for the duration of their use;
233 * writers must acquire an exclusive lock. Note that for compound
234 * operations, locks should be held for the entire compound operation,
235 * and that this is not yet done for relabel requests.
237 static struct mtx mac_policy_list_lock;
238 static LIST_HEAD(, mac_policy_conf) mac_policy_list;
239 static int mac_policy_list_busy;
240 #define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \
241 "mac_policy_list_lock", NULL, MTX_DEF);
242 #define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock);
243 #define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock);
245 #define MAC_POLICY_LIST_BUSY() do { \
246 MAC_POLICY_LIST_LOCK(); \
247 mac_policy_list_busy++; \
248 MAC_POLICY_LIST_UNLOCK(); \
251 #define MAC_POLICY_LIST_UNBUSY() do { \
252 MAC_POLICY_LIST_LOCK(); \
253 mac_policy_list_busy--; \
254 if (mac_policy_list_busy < 0) \
255 panic("Extra mac_policy_list_busy--"); \
256 MAC_POLICY_LIST_UNLOCK(); \
260 * MAC_CHECK performs the designated check by walking the policy
261 * module list and checking with each as to how it feels about the
262 * request. Note that it returns its value via 'error' in the scope
265 #define MAC_CHECK(check, args...) do { \
266 struct mac_policy_conf *mpc; \
269 MAC_POLICY_LIST_BUSY(); \
270 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
271 if (mpc->mpc_ops->mpo_ ## check != NULL) \
272 error = error_select( \
273 mpc->mpc_ops->mpo_ ## check (args), \
276 MAC_POLICY_LIST_UNBUSY(); \
280 * MAC_BOOLEAN performs the designated boolean composition by walking
281 * the module list, invoking each instance of the operation, and
282 * combining the results using the passed C operator. Note that it
283 * returns its value via 'result' in the scope of the caller, which
284 * should be initialized by the caller in a meaningful way to get
285 * a meaningful result.
287 #define MAC_BOOLEAN(operation, composition, args...) do { \
288 struct mac_policy_conf *mpc; \
290 MAC_POLICY_LIST_BUSY(); \
291 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
292 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
293 result = result composition \
294 mpc->mpc_ops->mpo_ ## operation (args); \
296 MAC_POLICY_LIST_UNBUSY(); \
299 #define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \
301 char *curptr, *curptr_start, *element_name, *element_temp; \
302 size_t left, left_start, len; \
303 int claimed, first, first_start, ignorenotfound; \
306 element_temp = elementlist; \
311 while ((element_name = strsep(&element_temp, ",")) != NULL) { \
312 curptr_start = curptr; \
314 first_start = first; \
315 if (element_name[0] == '?') { \
317 ignorenotfound = 1; \
319 ignorenotfound = 0; \
322 len = snprintf(curptr, left, "%s/", \
326 len = snprintf(curptr, left, ",%s/", \
329 error = EINVAL; /* XXXMAC: E2BIG */ \
335 MAC_CHECK(externalize_ ## type, label, element_name, \
336 curptr, left, &len, &claimed); \
339 if (claimed == 1) { \
340 if (len >= outbuflen) { \
341 error = EINVAL; /* XXXMAC: E2BIG */ \
346 } else if (claimed == 0 && ignorenotfound) { \
348 * Revert addition of the label element \
351 curptr = curptr_start; \
354 first = first_start; \
356 error = EINVAL; /* XXXMAC: ENOLABEL */ \
362 #define MAC_INTERNALIZE(type, label, instring) do { \
363 char *element, *element_name, *element_data; \
367 element = instring; \
368 while ((element_name = strsep(&element, ",")) != NULL) { \
369 element_data = element_name; \
370 element_name = strsep(&element_data, "/"); \
371 if (element_data == NULL) { \
376 MAC_CHECK(internalize_ ## type, label, element_name, \
377 element_data, &claimed); \
380 if (claimed != 1) { \
381 /* XXXMAC: Another error here? */ \
389 * MAC_PERFORM performs the designated operation by walking the policy
390 * module list and invoking that operation for each policy.
392 #define MAC_PERFORM(operation, args...) do { \
393 struct mac_policy_conf *mpc; \
395 MAC_POLICY_LIST_BUSY(); \
396 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
397 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
398 mpc->mpc_ops->mpo_ ## operation (args); \
400 MAC_POLICY_LIST_UNBUSY(); \
404 * Initialize the MAC subsystem, including appropriate SMP locks.
410 LIST_INIT(&mac_policy_list);
411 MAC_POLICY_LIST_LOCKINIT();
415 * For the purposes of modules that want to know if they were loaded
416 * "early", set the mac_late flag once we've processed modules either
417 * linked into the kernel, or loaded before the kernel startup.
427 * Allow MAC policy modules to register during boot, etc.
430 mac_policy_modevent(module_t mod, int type, void *data)
432 struct mac_policy_conf *mpc;
436 mpc = (struct mac_policy_conf *) data;
440 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
442 printf("mac_policy_modevent: can't load %s policy "
443 "after booting\n", mpc->mpc_name);
447 error = mac_policy_register(mpc);
450 /* Don't unregister the module if it was never registered. */
451 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
453 error = mac_policy_unregister(mpc);
465 mac_policy_register(struct mac_policy_conf *mpc)
467 struct mac_policy_conf *tmpc;
468 struct mac_policy_op_entry *mpe;
471 MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
472 M_MACOPVEC, M_WAITOK | M_ZERO);
473 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
474 switch (mpe->mpe_constant) {
477 * Doesn't actually happen, but this allows checking
478 * that all enumerated values are handled.
482 mpc->mpc_ops->mpo_destroy =
486 mpc->mpc_ops->mpo_init =
490 mpc->mpc_ops->mpo_syscall =
493 case MAC_INIT_BPFDESC_LABEL:
494 mpc->mpc_ops->mpo_init_bpfdesc_label =
497 case MAC_INIT_CRED_LABEL:
498 mpc->mpc_ops->mpo_init_cred_label =
501 case MAC_INIT_DEVFSDIRENT_LABEL:
502 mpc->mpc_ops->mpo_init_devfsdirent_label =
505 case MAC_INIT_IFNET_LABEL:
506 mpc->mpc_ops->mpo_init_ifnet_label =
509 case MAC_INIT_IPQ_LABEL:
510 mpc->mpc_ops->mpo_init_ipq_label =
513 case MAC_INIT_MBUF_LABEL:
514 mpc->mpc_ops->mpo_init_mbuf_label =
517 case MAC_INIT_MOUNT_LABEL:
518 mpc->mpc_ops->mpo_init_mount_label =
521 case MAC_INIT_MOUNT_FS_LABEL:
522 mpc->mpc_ops->mpo_init_mount_fs_label =
525 case MAC_INIT_PIPE_LABEL:
526 mpc->mpc_ops->mpo_init_pipe_label =
529 case MAC_INIT_SOCKET_LABEL:
530 mpc->mpc_ops->mpo_init_socket_label =
533 case MAC_INIT_SOCKET_PEER_LABEL:
534 mpc->mpc_ops->mpo_init_socket_peer_label =
537 case MAC_INIT_VNODE_LABEL:
538 mpc->mpc_ops->mpo_init_vnode_label =
541 case MAC_DESTROY_BPFDESC_LABEL:
542 mpc->mpc_ops->mpo_destroy_bpfdesc_label =
545 case MAC_DESTROY_CRED_LABEL:
546 mpc->mpc_ops->mpo_destroy_cred_label =
549 case MAC_DESTROY_DEVFSDIRENT_LABEL:
550 mpc->mpc_ops->mpo_destroy_devfsdirent_label =
553 case MAC_DESTROY_IFNET_LABEL:
554 mpc->mpc_ops->mpo_destroy_ifnet_label =
557 case MAC_DESTROY_IPQ_LABEL:
558 mpc->mpc_ops->mpo_destroy_ipq_label =
561 case MAC_DESTROY_MBUF_LABEL:
562 mpc->mpc_ops->mpo_destroy_mbuf_label =
565 case MAC_DESTROY_MOUNT_LABEL:
566 mpc->mpc_ops->mpo_destroy_mount_label =
569 case MAC_DESTROY_MOUNT_FS_LABEL:
570 mpc->mpc_ops->mpo_destroy_mount_fs_label =
573 case MAC_DESTROY_PIPE_LABEL:
574 mpc->mpc_ops->mpo_destroy_pipe_label =
577 case MAC_DESTROY_SOCKET_LABEL:
578 mpc->mpc_ops->mpo_destroy_socket_label =
581 case MAC_DESTROY_SOCKET_PEER_LABEL:
582 mpc->mpc_ops->mpo_destroy_socket_peer_label =
585 case MAC_DESTROY_VNODE_LABEL:
586 mpc->mpc_ops->mpo_destroy_vnode_label =
589 case MAC_COPY_PIPE_LABEL:
590 mpc->mpc_ops->mpo_copy_pipe_label =
593 case MAC_COPY_VNODE_LABEL:
594 mpc->mpc_ops->mpo_copy_vnode_label =
597 case MAC_EXTERNALIZE_CRED_LABEL:
598 mpc->mpc_ops->mpo_externalize_cred_label =
601 case MAC_EXTERNALIZE_IFNET_LABEL:
602 mpc->mpc_ops->mpo_externalize_ifnet_label =
605 case MAC_EXTERNALIZE_PIPE_LABEL:
606 mpc->mpc_ops->mpo_externalize_pipe_label =
609 case MAC_EXTERNALIZE_SOCKET_LABEL:
610 mpc->mpc_ops->mpo_externalize_socket_label =
613 case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
614 mpc->mpc_ops->mpo_externalize_socket_peer_label =
617 case MAC_EXTERNALIZE_VNODE_LABEL:
618 mpc->mpc_ops->mpo_externalize_vnode_label =
621 case MAC_EXTERNALIZE_VNODE_OLDMAC:
622 mpc->mpc_ops->mpo_externalize_vnode_oldmac =
625 case MAC_INTERNALIZE_CRED_LABEL:
626 mpc->mpc_ops->mpo_internalize_cred_label =
629 case MAC_INTERNALIZE_IFNET_LABEL:
630 mpc->mpc_ops->mpo_internalize_ifnet_label =
633 case MAC_INTERNALIZE_PIPE_LABEL:
634 mpc->mpc_ops->mpo_internalize_pipe_label =
637 case MAC_INTERNALIZE_SOCKET_LABEL:
638 mpc->mpc_ops->mpo_internalize_socket_label =
641 case MAC_INTERNALIZE_VNODE_LABEL:
642 mpc->mpc_ops->mpo_internalize_vnode_label =
645 case MAC_CREATE_DEVFS_DEVICE:
646 mpc->mpc_ops->mpo_create_devfs_device =
649 case MAC_CREATE_DEVFS_DIRECTORY:
650 mpc->mpc_ops->mpo_create_devfs_directory =
653 case MAC_CREATE_DEVFS_SYMLINK:
654 mpc->mpc_ops->mpo_create_devfs_symlink =
657 case MAC_CREATE_DEVFS_VNODE:
658 mpc->mpc_ops->mpo_create_devfs_vnode =
661 case MAC_STDCREATEVNODE_EA:
662 mpc->mpc_ops->mpo_stdcreatevnode_ea =
665 case MAC_CREATE_VNODE:
666 mpc->mpc_ops->mpo_create_vnode =
669 case MAC_CREATE_MOUNT:
670 mpc->mpc_ops->mpo_create_mount =
673 case MAC_CREATE_ROOT_MOUNT:
674 mpc->mpc_ops->mpo_create_root_mount =
677 case MAC_RELABEL_VNODE:
678 mpc->mpc_ops->mpo_relabel_vnode =
681 case MAC_UPDATE_DEVFSDIRENT:
682 mpc->mpc_ops->mpo_update_devfsdirent =
685 case MAC_UPDATE_PROCFSVNODE:
686 mpc->mpc_ops->mpo_update_procfsvnode =
689 case MAC_UPDATE_VNODE_FROM_EXTATTR:
690 mpc->mpc_ops->mpo_update_vnode_from_extattr =
693 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
694 mpc->mpc_ops->mpo_update_vnode_from_externalized =
697 case MAC_UPDATE_VNODE_FROM_MOUNT:
698 mpc->mpc_ops->mpo_update_vnode_from_mount =
701 case MAC_CREATE_MBUF_FROM_SOCKET:
702 mpc->mpc_ops->mpo_create_mbuf_from_socket =
705 case MAC_CREATE_PIPE:
706 mpc->mpc_ops->mpo_create_pipe =
709 case MAC_CREATE_SOCKET:
710 mpc->mpc_ops->mpo_create_socket =
713 case MAC_CREATE_SOCKET_FROM_SOCKET:
714 mpc->mpc_ops->mpo_create_socket_from_socket =
717 case MAC_RELABEL_PIPE:
718 mpc->mpc_ops->mpo_relabel_pipe =
721 case MAC_RELABEL_SOCKET:
722 mpc->mpc_ops->mpo_relabel_socket =
725 case MAC_SET_SOCKET_PEER_FROM_MBUF:
726 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
729 case MAC_SET_SOCKET_PEER_FROM_SOCKET:
730 mpc->mpc_ops->mpo_set_socket_peer_from_socket =
733 case MAC_CREATE_BPFDESC:
734 mpc->mpc_ops->mpo_create_bpfdesc =
737 case MAC_CREATE_DATAGRAM_FROM_IPQ:
738 mpc->mpc_ops->mpo_create_datagram_from_ipq =
741 case MAC_CREATE_FRAGMENT:
742 mpc->mpc_ops->mpo_create_fragment =
745 case MAC_CREATE_IFNET:
746 mpc->mpc_ops->mpo_create_ifnet =
750 mpc->mpc_ops->mpo_create_ipq =
753 case MAC_CREATE_MBUF_FROM_MBUF:
754 mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
757 case MAC_CREATE_MBUF_LINKLAYER:
758 mpc->mpc_ops->mpo_create_mbuf_linklayer =
761 case MAC_CREATE_MBUF_FROM_BPFDESC:
762 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
765 case MAC_CREATE_MBUF_FROM_IFNET:
766 mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
769 case MAC_CREATE_MBUF_MULTICAST_ENCAP:
770 mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
773 case MAC_CREATE_MBUF_NETLAYER:
774 mpc->mpc_ops->mpo_create_mbuf_netlayer =
777 case MAC_FRAGMENT_MATCH:
778 mpc->mpc_ops->mpo_fragment_match =
781 case MAC_RELABEL_IFNET:
782 mpc->mpc_ops->mpo_relabel_ifnet =
786 mpc->mpc_ops->mpo_update_ipq =
789 case MAC_CREATE_CRED:
790 mpc->mpc_ops->mpo_create_cred =
793 case MAC_EXECVE_TRANSITION:
794 mpc->mpc_ops->mpo_execve_transition =
797 case MAC_EXECVE_WILL_TRANSITION:
798 mpc->mpc_ops->mpo_execve_will_transition =
801 case MAC_CREATE_PROC0:
802 mpc->mpc_ops->mpo_create_proc0 =
805 case MAC_CREATE_PROC1:
806 mpc->mpc_ops->mpo_create_proc1 =
809 case MAC_RELABEL_CRED:
810 mpc->mpc_ops->mpo_relabel_cred =
813 case MAC_THREAD_USERRET:
814 mpc->mpc_ops->mpo_thread_userret =
817 case MAC_CHECK_BPFDESC_RECEIVE:
818 mpc->mpc_ops->mpo_check_bpfdesc_receive =
821 case MAC_CHECK_CRED_RELABEL:
822 mpc->mpc_ops->mpo_check_cred_relabel =
825 case MAC_CHECK_CRED_VISIBLE:
826 mpc->mpc_ops->mpo_check_cred_visible =
829 case MAC_CHECK_IFNET_RELABEL:
830 mpc->mpc_ops->mpo_check_ifnet_relabel =
833 case MAC_CHECK_IFNET_TRANSMIT:
834 mpc->mpc_ops->mpo_check_ifnet_transmit =
837 case MAC_CHECK_MOUNT_STAT:
838 mpc->mpc_ops->mpo_check_mount_stat =
841 case MAC_CHECK_PIPE_IOCTL:
842 mpc->mpc_ops->mpo_check_pipe_ioctl =
845 case MAC_CHECK_PIPE_POLL:
846 mpc->mpc_ops->mpo_check_pipe_poll =
849 case MAC_CHECK_PIPE_READ:
850 mpc->mpc_ops->mpo_check_pipe_read =
853 case MAC_CHECK_PIPE_RELABEL:
854 mpc->mpc_ops->mpo_check_pipe_relabel =
857 case MAC_CHECK_PIPE_STAT:
858 mpc->mpc_ops->mpo_check_pipe_stat =
861 case MAC_CHECK_PIPE_WRITE:
862 mpc->mpc_ops->mpo_check_pipe_write =
865 case MAC_CHECK_PROC_DEBUG:
866 mpc->mpc_ops->mpo_check_proc_debug =
869 case MAC_CHECK_PROC_SCHED:
870 mpc->mpc_ops->mpo_check_proc_sched =
873 case MAC_CHECK_PROC_SIGNAL:
874 mpc->mpc_ops->mpo_check_proc_signal =
877 case MAC_CHECK_SOCKET_BIND:
878 mpc->mpc_ops->mpo_check_socket_bind =
881 case MAC_CHECK_SOCKET_CONNECT:
882 mpc->mpc_ops->mpo_check_socket_connect =
885 case MAC_CHECK_SOCKET_DELIVER:
886 mpc->mpc_ops->mpo_check_socket_deliver =
889 case MAC_CHECK_SOCKET_LISTEN:
890 mpc->mpc_ops->mpo_check_socket_listen =
893 case MAC_CHECK_SOCKET_RECEIVE:
894 mpc->mpc_ops->mpo_check_socket_receive =
897 case MAC_CHECK_SOCKET_RELABEL:
898 mpc->mpc_ops->mpo_check_socket_relabel =
901 case MAC_CHECK_SOCKET_SEND:
902 mpc->mpc_ops->mpo_check_socket_send =
905 case MAC_CHECK_SOCKET_VISIBLE:
906 mpc->mpc_ops->mpo_check_socket_visible =
909 case MAC_CHECK_VNODE_ACCESS:
910 mpc->mpc_ops->mpo_check_vnode_access =
913 case MAC_CHECK_VNODE_CHDIR:
914 mpc->mpc_ops->mpo_check_vnode_chdir =
917 case MAC_CHECK_VNODE_CHROOT:
918 mpc->mpc_ops->mpo_check_vnode_chroot =
921 case MAC_CHECK_VNODE_CREATE:
922 mpc->mpc_ops->mpo_check_vnode_create =
925 case MAC_CHECK_VNODE_DELETE:
926 mpc->mpc_ops->mpo_check_vnode_delete =
929 case MAC_CHECK_VNODE_DELETEACL:
930 mpc->mpc_ops->mpo_check_vnode_deleteacl =
933 case MAC_CHECK_VNODE_EXEC:
934 mpc->mpc_ops->mpo_check_vnode_exec =
937 case MAC_CHECK_VNODE_GETACL:
938 mpc->mpc_ops->mpo_check_vnode_getacl =
941 case MAC_CHECK_VNODE_GETEXTATTR:
942 mpc->mpc_ops->mpo_check_vnode_getextattr =
945 case MAC_CHECK_VNODE_LINK:
946 mpc->mpc_ops->mpo_check_vnode_link =
949 case MAC_CHECK_VNODE_LOOKUP:
950 mpc->mpc_ops->mpo_check_vnode_lookup =
953 case MAC_CHECK_VNODE_MMAP:
954 mpc->mpc_ops->mpo_check_vnode_mmap =
957 case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
958 mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
961 case MAC_CHECK_VNODE_MPROTECT:
962 mpc->mpc_ops->mpo_check_vnode_mprotect =
965 case MAC_CHECK_VNODE_OPEN:
966 mpc->mpc_ops->mpo_check_vnode_open =
969 case MAC_CHECK_VNODE_POLL:
970 mpc->mpc_ops->mpo_check_vnode_poll =
973 case MAC_CHECK_VNODE_READ:
974 mpc->mpc_ops->mpo_check_vnode_read =
977 case MAC_CHECK_VNODE_READDIR:
978 mpc->mpc_ops->mpo_check_vnode_readdir =
981 case MAC_CHECK_VNODE_READLINK:
982 mpc->mpc_ops->mpo_check_vnode_readlink =
985 case MAC_CHECK_VNODE_RELABEL:
986 mpc->mpc_ops->mpo_check_vnode_relabel =
989 case MAC_CHECK_VNODE_RENAME_FROM:
990 mpc->mpc_ops->mpo_check_vnode_rename_from =
993 case MAC_CHECK_VNODE_RENAME_TO:
994 mpc->mpc_ops->mpo_check_vnode_rename_to =
997 case MAC_CHECK_VNODE_REVOKE:
998 mpc->mpc_ops->mpo_check_vnode_revoke =
1001 case MAC_CHECK_VNODE_SETACL:
1002 mpc->mpc_ops->mpo_check_vnode_setacl =
1005 case MAC_CHECK_VNODE_SETEXTATTR:
1006 mpc->mpc_ops->mpo_check_vnode_setextattr =
1009 case MAC_CHECK_VNODE_SETFLAGS:
1010 mpc->mpc_ops->mpo_check_vnode_setflags =
1013 case MAC_CHECK_VNODE_SETMODE:
1014 mpc->mpc_ops->mpo_check_vnode_setmode =
1017 case MAC_CHECK_VNODE_SETOWNER:
1018 mpc->mpc_ops->mpo_check_vnode_setowner =
1021 case MAC_CHECK_VNODE_SETUTIMES:
1022 mpc->mpc_ops->mpo_check_vnode_setutimes =
1025 case MAC_CHECK_VNODE_STAT:
1026 mpc->mpc_ops->mpo_check_vnode_stat =
1029 case MAC_CHECK_VNODE_SWAPON:
1030 mpc->mpc_ops->mpo_check_vnode_swapon =
1033 case MAC_CHECK_VNODE_WRITE:
1034 mpc->mpc_ops->mpo_check_vnode_write =
1039 printf("MAC policy `%s': unknown operation %d\n",
1040 mpc->mpc_name, mpe->mpe_constant);
1045 MAC_POLICY_LIST_LOCK();
1046 if (mac_policy_list_busy > 0) {
1047 MAC_POLICY_LIST_UNLOCK();
1048 FREE(mpc->mpc_ops, M_MACOPVEC);
1049 mpc->mpc_ops = NULL;
1052 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
1053 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
1054 MAC_POLICY_LIST_UNLOCK();
1055 FREE(mpc->mpc_ops, M_MACOPVEC);
1056 mpc->mpc_ops = NULL;
1060 if (mpc->mpc_field_off != NULL) {
1061 slot = ffs(mac_policy_offsets_free);
1063 MAC_POLICY_LIST_UNLOCK();
1064 FREE(mpc->mpc_ops, M_MACOPVEC);
1065 mpc->mpc_ops = NULL;
1069 mac_policy_offsets_free &= ~(1 << slot);
1070 *mpc->mpc_field_off = slot;
1072 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
1073 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
1075 /* Per-policy initialization. */
1076 if (mpc->mpc_ops->mpo_init != NULL)
1077 (*(mpc->mpc_ops->mpo_init))(mpc);
1078 MAC_POLICY_LIST_UNLOCK();
1080 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
1087 mac_policy_unregister(struct mac_policy_conf *mpc)
1091 * If we fail the load, we may get a request to unload. Check
1092 * to see if we did the run-time registration, and if not,
1095 MAC_POLICY_LIST_LOCK();
1096 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
1097 MAC_POLICY_LIST_UNLOCK();
1102 * Don't allow unloading modules with private data.
1104 if (mpc->mpc_field_off != NULL) {
1105 MAC_POLICY_LIST_UNLOCK();
1110 * Only allow the unload to proceed if the module is unloadable
1111 * by its own definition.
1113 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
1114 MAC_POLICY_LIST_UNLOCK();
1118 * Right now, we EBUSY if the list is in use. In the future,
1119 * for reliability reasons, we might want to sleep and wakeup
1120 * later to try again.
1122 if (mac_policy_list_busy > 0) {
1123 MAC_POLICY_LIST_UNLOCK();
1126 if (mpc->mpc_ops->mpo_destroy != NULL)
1127 (*(mpc->mpc_ops->mpo_destroy))(mpc);
1129 LIST_REMOVE(mpc, mpc_list);
1130 MAC_POLICY_LIST_UNLOCK();
1132 FREE(mpc->mpc_ops, M_MACOPVEC);
1133 mpc->mpc_ops = NULL;
1134 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
1136 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
1143 * Define an error value precedence, and given two arguments, selects the
1144 * value with the higher precedence.
1147 error_select(int error1, int error2)
1150 /* Certain decision-making errors take top priority. */
1151 if (error1 == EDEADLK || error2 == EDEADLK)
1154 /* Invalid arguments should be reported where possible. */
1155 if (error1 == EINVAL || error2 == EINVAL)
1158 /* Precedence goes to "visibility", with both process and file. */
1159 if (error1 == ESRCH || error2 == ESRCH)
1162 if (error1 == ENOENT || error2 == ENOENT)
1165 /* Precedence goes to DAC/MAC protections. */
1166 if (error1 == EACCES || error2 == EACCES)
1169 /* Precedence goes to privilege. */
1170 if (error1 == EPERM || error2 == EPERM)
1173 /* Precedence goes to error over success; otherwise, arbitrary. */
1180 mac_init_label(struct label *label)
1183 bzero(label, sizeof(*label));
1184 label->l_flags = MAC_FLAG_INITIALIZED;
1188 mac_destroy_label(struct label *label)
1191 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
1192 ("destroying uninitialized label"));
1194 bzero(label, sizeof(*label));
1195 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
1199 mac_init_bpfdesc(struct bpf_d *bpf_d)
1202 mac_init_label(&bpf_d->bd_label);
1203 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
1205 atomic_add_int(&nmacbpfdescs, 1);
1210 mac_init_cred_label(struct label *label)
1213 mac_init_label(label);
1214 MAC_PERFORM(init_cred_label, label);
1216 atomic_add_int(&nmaccreds, 1);
1221 mac_init_cred(struct ucred *cred)
1224 mac_init_cred_label(&cred->cr_label);
1228 mac_init_devfsdirent(struct devfs_dirent *de)
1231 mac_init_label(&de->de_label);
1232 MAC_PERFORM(init_devfsdirent_label, &de->de_label);
1234 atomic_add_int(&nmacdevfsdirents, 1);
1239 mac_init_ifnet_label(struct label *label)
1242 mac_init_label(label);
1243 MAC_PERFORM(init_ifnet_label, label);
1245 atomic_add_int(&nmacifnets, 1);
1250 mac_init_ifnet(struct ifnet *ifp)
1253 mac_init_ifnet_label(&ifp->if_label);
1257 mac_init_ipq(struct ipq *ipq)
1260 mac_init_label(&ipq->ipq_label);
1261 MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
1263 atomic_add_int(&nmacipqs, 1);
1268 mac_init_mbuf(struct mbuf *m, int flag)
1272 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
1274 mac_init_label(&m->m_pkthdr.label);
1276 MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag);
1278 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
1279 mac_destroy_label(&m->m_pkthdr.label);
1284 atomic_add_int(&nmacmbufs, 1);
1290 mac_init_mount(struct mount *mp)
1293 mac_init_label(&mp->mnt_mntlabel);
1294 mac_init_label(&mp->mnt_fslabel);
1295 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
1296 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
1298 atomic_add_int(&nmacmounts, 1);
1303 mac_init_pipe_label(struct label *label)
1306 mac_init_label(label);
1307 MAC_PERFORM(init_pipe_label, label);
1309 atomic_add_int(&nmacpipes, 1);
1314 mac_init_pipe(struct pipe *pipe)
1316 struct label *label;
1318 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
1319 pipe->pipe_label = label;
1320 pipe->pipe_peer->pipe_label = label;
1321 mac_init_pipe_label(label);
1325 mac_init_socket_label(struct label *label, int flag)
1329 mac_init_label(label);
1331 MAC_CHECK(init_socket_label, label, flag);
1333 MAC_PERFORM(destroy_socket_label, label);
1334 mac_destroy_label(label);
1339 atomic_add_int(&nmacsockets, 1);
1346 mac_init_socket_peer_label(struct label *label, int flag)
1350 mac_init_label(label);
1352 MAC_CHECK(init_socket_peer_label, label, flag);
1354 MAC_PERFORM(destroy_socket_label, label);
1355 mac_destroy_label(label);
1362 mac_init_socket(struct socket *socket, int flag)
1366 error = mac_init_socket_label(&socket->so_label, flag);
1370 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
1372 mac_destroy_socket_label(&socket->so_label);
1378 mac_init_vnode_label(struct label *label)
1381 mac_init_label(label);
1382 MAC_PERFORM(init_vnode_label, label);
1384 atomic_add_int(&nmacvnodes, 1);
1389 mac_init_vnode(struct vnode *vp)
1392 mac_init_vnode_label(&vp->v_label);
1396 mac_destroy_bpfdesc(struct bpf_d *bpf_d)
1399 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
1400 mac_destroy_label(&bpf_d->bd_label);
1402 atomic_subtract_int(&nmacbpfdescs, 1);
1407 mac_destroy_cred_label(struct label *label)
1410 MAC_PERFORM(destroy_cred_label, label);
1411 mac_destroy_label(label);
1413 atomic_subtract_int(&nmaccreds, 1);
1418 mac_destroy_cred(struct ucred *cred)
1421 mac_destroy_cred_label(&cred->cr_label);
1425 mac_destroy_devfsdirent(struct devfs_dirent *de)
1428 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
1429 mac_destroy_label(&de->de_label);
1431 atomic_subtract_int(&nmacdevfsdirents, 1);
1436 mac_destroy_ifnet_label(struct label *label)
1439 MAC_PERFORM(destroy_ifnet_label, label);
1440 mac_destroy_label(label);
1442 atomic_subtract_int(&nmacifnets, 1);
1447 mac_destroy_ifnet(struct ifnet *ifp)
1450 mac_destroy_ifnet_label(&ifp->if_label);
1454 mac_destroy_ipq(struct ipq *ipq)
1457 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
1458 mac_destroy_label(&ipq->ipq_label);
1460 atomic_subtract_int(&nmacipqs, 1);
1465 mac_destroy_mbuf(struct mbuf *m)
1468 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
1469 mac_destroy_label(&m->m_pkthdr.label);
1471 atomic_subtract_int(&nmacmbufs, 1);
1476 mac_destroy_mount(struct mount *mp)
1479 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
1480 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
1481 mac_destroy_label(&mp->mnt_fslabel);
1482 mac_destroy_label(&mp->mnt_mntlabel);
1484 atomic_subtract_int(&nmacmounts, 1);
1489 mac_destroy_pipe_label(struct label *label)
1492 MAC_PERFORM(destroy_pipe_label, label);
1493 mac_destroy_label(label);
1495 atomic_subtract_int(&nmacpipes, 1);
1500 mac_destroy_pipe(struct pipe *pipe)
1503 mac_destroy_pipe_label(pipe->pipe_label);
1504 free(pipe->pipe_label, M_MACPIPELABEL);
1508 mac_destroy_socket_label(struct label *label)
1511 MAC_PERFORM(destroy_socket_label, label);
1512 mac_destroy_label(label);
1514 atomic_subtract_int(&nmacsockets, 1);
1519 mac_destroy_socket_peer_label(struct label *label)
1522 MAC_PERFORM(destroy_socket_peer_label, label);
1523 mac_destroy_label(label);
1527 mac_destroy_socket(struct socket *socket)
1530 mac_destroy_socket_label(&socket->so_label);
1531 mac_destroy_socket_peer_label(&socket->so_peerlabel);
1535 mac_destroy_vnode_label(struct label *label)
1538 MAC_PERFORM(destroy_vnode_label, label);
1539 mac_destroy_label(label);
1541 atomic_subtract_int(&nmacvnodes, 1);
1546 mac_destroy_vnode(struct vnode *vp)
1549 mac_destroy_vnode_label(&vp->v_label);
1553 mac_copy_pipe_label(struct label *src, struct label *dest)
1556 MAC_PERFORM(copy_pipe_label, src, dest);
1560 mac_copy_vnode_label(struct label *src, struct label *dest)
1563 MAC_PERFORM(copy_vnode_label, src, dest);
1567 mac_check_structmac_consistent(struct mac *mac)
1570 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN)
1577 mac_externalize_cred_label(struct label *label, char *elements,
1578 char *outbuf, size_t outbuflen, int flags)
1582 MAC_EXTERNALIZE(cred_label, label, elements, outbuf, outbuflen);
1588 mac_externalize_ifnet_label(struct label *label, char *elements,
1589 char *outbuf, size_t outbuflen, int flags)
1593 MAC_EXTERNALIZE(ifnet_label, label, elements, outbuf, outbuflen);
1599 mac_externalize_pipe_label(struct label *label, char *elements,
1600 char *outbuf, size_t outbuflen, int flags)
1604 MAC_EXTERNALIZE(pipe_label, label, elements, outbuf, outbuflen);
1610 mac_externalize_socket_label(struct label *label, char *elements,
1611 char *outbuf, size_t outbuflen, int flags)
1615 MAC_EXTERNALIZE(socket_label, label, elements, outbuf, outbuflen);
1621 mac_externalize_socket_peer_label(struct label *label, char *elements,
1622 char *outbuf, size_t outbuflen, int flags)
1626 MAC_EXTERNALIZE(socket_peer_label, label, elements, outbuf, outbuflen);
1632 mac_externalize_vnode_label(struct label *label, char *elements,
1633 char *outbuf, size_t outbuflen, int flags)
1637 MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen);
1643 mac_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
1647 MAC_CHECK(externalize_vnode_oldmac, label, extmac);
1653 mac_internalize_cred_label(struct label *label, char *string)
1657 MAC_INTERNALIZE(cred_label, label, string);
1663 mac_internalize_ifnet_label(struct label *label, char *string)
1667 MAC_INTERNALIZE(ifnet_label, label, string);
1673 mac_internalize_pipe_label(struct label *label, char *string)
1677 MAC_INTERNALIZE(pipe_label, label, string);
1683 mac_internalize_socket_label(struct label *label, char *string)
1687 MAC_INTERNALIZE(socket_label, label, string);
1693 mac_internalize_vnode_label(struct label *label, char *string)
1697 MAC_INTERNALIZE(vnode_label, label, string);
1703 * Initialize MAC label for the first kernel process, from which other
1704 * kernel processes and threads are spawned.
1707 mac_create_proc0(struct ucred *cred)
1710 MAC_PERFORM(create_proc0, cred);
1714 * Initialize MAC label for the first userland process, from which other
1715 * userland processes and threads are spawned.
1718 mac_create_proc1(struct ucred *cred)
1721 MAC_PERFORM(create_proc1, cred);
1725 mac_thread_userret(struct thread *td)
1728 MAC_PERFORM(thread_userret, td);
1732 * When a new process is created, its label must be initialized. Generally,
1733 * this involves inheritence from the parent process, modulo possible
1734 * deltas. This function allows that processing to take place.
1737 mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
1740 MAC_PERFORM(create_cred, parent_cred, child_cred);
1744 mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
1747 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
1751 mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
1754 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
1758 * Support callout for policies that manage their own externalization
1759 * using extended attributes.
1762 mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
1766 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
1773 * Given an externalized mac label, internalize it and stamp it on a
1777 mac_update_vnode_from_externalized(struct vnode *vp, struct oldmac *extmac)
1781 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
1787 * Call out to individual policies to update the label in a vnode from
1791 mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
1794 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
1797 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
1798 if (mac_cache_fslabel_in_vnode)
1799 vp->v_vflag |= VV_CACHEDLABEL;
1803 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
1804 * to store label data. Can be referenced by filesystems supporting
1805 * extended attributes.
1808 vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
1810 struct vnode *vp = ap->a_vp;
1811 struct oldmac extmac;
1814 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
1817 * Call out to external policies first. Order doesn't really
1818 * matter, as long as failure of one assures failure of all.
1820 error = mac_update_vnode_from_extattr(vp, vp->v_mount);
1824 buflen = sizeof(extmac);
1825 error = vn_extattr_get(vp, IO_NODELOCKED,
1826 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
1827 (char *)&extmac, curthread);
1835 * Use the label from the mount point.
1837 mac_update_vnode_from_mount(vp, vp->v_mount);
1842 /* Fail horribly. */
1846 if (buflen != sizeof(extmac))
1847 error = EPERM; /* Fail very closed. */
1849 error = mac_update_vnode_from_externalized(vp, &extmac);
1851 vp->v_vflag |= VV_CACHEDLABEL;
1855 printf("Corrupted label on %s",
1856 vp->v_mount->mnt_stat.f_mntonname);
1857 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
1858 printf(" inum %ld", va.va_fileid);
1860 if (mac_debug_label_fallback) {
1861 printf(", falling back.\n");
1862 mac_update_vnode_from_mount(vp, vp->v_mount);
1877 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
1878 * the labeling activity outselves. Filesystems should be careful not
1879 * to change their minds regarding whether they support vop_refreshlabel()
1880 * for a vnode or not. Don't cache the vnode here, allow the file
1881 * system code to determine if it's safe to cache. If we update from
1882 * the mount, don't cache since a change to the mount label should affect
1886 vn_refreshlabel(struct vnode *vp, struct ucred *cred)
1890 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
1892 if (vp->v_mount == NULL) {
1894 Eventually, we probably want to special-case refreshing
1895 of deadfs vnodes, and if there's a lock-free race somewhere,
1896 that case might be handled here.
1898 mac_update_vnode_deadfs(vp);
1901 /* printf("vn_refreshlabel: null v_mount\n"); */
1902 if (vp->v_type != VNON)
1904 "vn_refreshlabel: null v_mount with non-VNON\n");
1908 if (vp->v_vflag & VV_CACHEDLABEL) {
1909 mac_vnode_label_cache_hits++;
1912 mac_vnode_label_cache_misses++;
1914 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1915 mac_update_vnode_from_mount(vp, vp->v_mount);
1919 error = VOP_REFRESHLABEL(vp, cred, curthread);
1923 * If labels are not supported on this vnode, fall back to
1924 * the label in the mount and propagate it to the vnode.
1925 * There should probably be some sort of policy/flag/decision
1928 mac_update_vnode_from_mount(vp, vp->v_mount);
1936 * Helper function for file systems using the vop_std*_ea() calls. This
1937 * function must be called after EA service is available for the vnode,
1938 * but before it's hooked up to the namespace so that the node persists
1939 * if there's a crash, or before it can be accessed. On successful
1940 * commit of the label to disk (etc), do cache the label.
1943 vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
1945 struct oldmac extmac;
1948 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
1949 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1950 mac_update_vnode_from_mount(tvp, tvp->v_mount);
1952 error = vn_refreshlabel(dvp, cred);
1957 * Stick the label in the vnode. Then try to write to
1958 * disk. If we fail, return a failure to abort the
1959 * create operation. Really, this failure shouldn't
1960 * happen except in fairly unusual circumstances (out
1963 mac_create_vnode(cred, dvp, tvp);
1965 error = mac_stdcreatevnode_ea(tvp);
1970 * XXX: Eventually this will go away and all policies will
1971 * directly manage their extended attributes.
1973 error = mac_externalize_vnode_oldmac(&tvp->v_label, &extmac);
1977 error = vn_extattr_set(tvp, IO_NODELOCKED,
1978 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
1979 sizeof(extmac), (char *)&extmac, curthread);
1981 tvp->v_vflag |= VV_CACHEDLABEL;
1985 * In theory, we could have fall-back behavior here.
1986 * It would probably be incorrect.
1997 mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
2001 ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
2003 error = vn_refreshlabel(vp, old);
2005 printf("mac_execve_transition: vn_refreshlabel returned %d\n",
2007 printf("mac_execve_transition: using old vnode label\n");
2010 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
2014 mac_execve_will_transition(struct ucred *old, struct vnode *vp)
2018 error = vn_refreshlabel(vp, old);
2023 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
2029 mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags)
2033 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
2035 if (!mac_enforce_fs)
2038 error = vn_refreshlabel(vp, cred);
2042 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
2047 mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
2051 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
2053 if (!mac_enforce_fs)
2056 error = vn_refreshlabel(dvp, cred);
2060 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
2065 mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
2069 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
2071 if (!mac_enforce_fs)
2074 error = vn_refreshlabel(dvp, cred);
2078 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
2083 mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2084 struct componentname *cnp, struct vattr *vap)
2088 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
2090 if (!mac_enforce_fs)
2093 error = vn_refreshlabel(dvp, cred);
2097 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
2102 mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
2103 struct componentname *cnp)
2107 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
2108 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
2110 if (!mac_enforce_fs)
2113 error = vn_refreshlabel(dvp, cred);
2116 error = vn_refreshlabel(vp, cred);
2120 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
2126 mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2131 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
2133 if (!mac_enforce_fs)
2136 error = vn_refreshlabel(vp, cred);
2140 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
2145 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
2149 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
2151 if (!mac_enforce_process && !mac_enforce_fs)
2154 error = vn_refreshlabel(vp, cred);
2157 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
2163 mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
2167 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
2169 if (!mac_enforce_fs)
2172 error = vn_refreshlabel(vp, cred);
2176 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
2181 mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2182 int attrnamespace, const char *name, struct uio *uio)
2186 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
2188 if (!mac_enforce_fs)
2191 error = vn_refreshlabel(vp, cred);
2195 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
2196 attrnamespace, name, uio);
2201 mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2202 struct vnode *vp, struct componentname *cnp)
2206 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
2207 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
2209 if (!mac_enforce_fs)
2212 error = vn_refreshlabel(dvp, cred);
2216 error = vn_refreshlabel(vp, cred);
2220 MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
2226 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2227 struct componentname *cnp)
2231 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
2233 if (!mac_enforce_fs)
2236 error = vn_refreshlabel(dvp, cred);
2240 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
2245 mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
2249 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
2251 if (!mac_enforce_fs || !mac_enforce_vm)
2254 error = vn_refreshlabel(vp, cred);
2258 MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
2263 mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
2267 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
2269 if (!mac_enforce_fs || !mac_enforce_vm)
2272 MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
2279 mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
2283 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
2285 if (!mac_enforce_fs || !mac_enforce_vm)
2288 error = vn_refreshlabel(vp, cred);
2292 MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
2297 mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
2301 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
2303 if (!mac_enforce_fs)
2306 error = vn_refreshlabel(vp, cred);
2310 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
2315 mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2320 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
2322 if (!mac_enforce_fs)
2325 error = vn_refreshlabel(vp, active_cred);
2329 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
2336 mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2341 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
2343 if (!mac_enforce_fs)
2346 error = vn_refreshlabel(vp, active_cred);
2350 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
2357 mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
2361 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
2363 if (!mac_enforce_fs)
2366 error = vn_refreshlabel(dvp, cred);
2370 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
2375 mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
2379 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
2381 if (!mac_enforce_fs)
2384 error = vn_refreshlabel(vp, cred);
2388 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
2393 mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2394 struct label *newlabel)
2398 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
2400 error = vn_refreshlabel(vp, cred);
2404 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
2410 mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2411 struct vnode *vp, struct componentname *cnp)
2415 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
2416 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
2418 if (!mac_enforce_fs)
2421 error = vn_refreshlabel(dvp, cred);
2424 error = vn_refreshlabel(vp, cred);
2428 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
2434 mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2435 struct vnode *vp, int samedir, struct componentname *cnp)
2439 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
2440 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
2442 if (!mac_enforce_fs)
2445 error = vn_refreshlabel(dvp, cred);
2449 error = vn_refreshlabel(vp, cred);
2453 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
2454 vp != NULL ? &vp->v_label : NULL, samedir, cnp);
2459 mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
2463 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
2465 if (!mac_enforce_fs)
2468 error = vn_refreshlabel(vp, cred);
2472 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
2477 mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
2482 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
2484 if (!mac_enforce_fs)
2487 error = vn_refreshlabel(vp, cred);
2491 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
2496 mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2497 int attrnamespace, const char *name, struct uio *uio)
2501 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
2503 if (!mac_enforce_fs)
2506 error = vn_refreshlabel(vp, cred);
2510 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
2511 attrnamespace, name, uio);
2516 mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
2520 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
2522 if (!mac_enforce_fs)
2525 error = vn_refreshlabel(vp, cred);
2529 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
2534 mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
2538 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
2540 if (!mac_enforce_fs)
2543 error = vn_refreshlabel(vp, cred);
2547 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
2552 mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
2557 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
2559 if (!mac_enforce_fs)
2562 error = vn_refreshlabel(vp, cred);
2566 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
2571 mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2572 struct timespec atime, struct timespec mtime)
2576 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
2578 if (!mac_enforce_fs)
2581 error = vn_refreshlabel(vp, cred);
2585 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
2591 mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2596 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
2598 if (!mac_enforce_fs)
2601 error = vn_refreshlabel(vp, active_cred);
2605 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
2611 mac_check_vnode_swapon(struct ucred *cred, struct vnode *vp)
2615 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_swapon");
2617 if (!mac_enforce_fs)
2620 error = vn_refreshlabel(vp, cred);
2624 MAC_CHECK(check_vnode_swapon, cred, vp, &vp->v_label);
2629 mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
2634 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
2636 if (!mac_enforce_fs)
2639 error = vn_refreshlabel(vp, active_cred);
2643 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
2650 * When relabeling a process, call out to the policies for the maximum
2651 * permission allowed for each object type we know about in its
2652 * memory space, and revoke access (in the least surprising ways we
2653 * know) when necessary. The process lock is not held here.
2656 mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
2659 /* XXX freeze all other threads */
2660 mac_cred_mmapped_drop_perms_recurse(td, cred,
2661 &td->td_proc->p_vmspace->vm_map);
2662 /* XXX allow other threads to continue */
2665 static __inline const char *
2666 prot2str(vm_prot_t prot)
2669 switch (prot & VM_PROT_ALL) {
2672 case VM_PROT_READ | VM_PROT_WRITE:
2674 case VM_PROT_READ | VM_PROT_EXECUTE:
2676 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
2680 case VM_PROT_EXECUTE:
2682 case VM_PROT_WRITE | VM_PROT_EXECUTE:
2690 mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
2693 struct vm_map_entry *vme;
2695 vm_prot_t revokeperms;
2697 vm_ooffset_t offset;
2700 if (!mac_mmap_revocation)
2703 vm_map_lock_read(map);
2704 for (vme = map->header.next; vme != &map->header; vme = vme->next) {
2705 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
2706 mac_cred_mmapped_drop_perms_recurse(td, cred,
2707 vme->object.sub_map);
2711 * Skip over entries that obviously are not shared.
2713 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) ||
2714 !vme->max_protection)
2717 * Drill down to the deepest backing object.
2719 offset = vme->offset;
2720 object = vme->object.vm_object;
2723 while (object->backing_object != NULL) {
2724 object = object->backing_object;
2725 offset += object->backing_object_offset;
2728 * At the moment, vm_maps and objects aren't considered
2729 * by the MAC system, so only things with backing by a
2730 * normal object (read: vnodes) are checked.
2732 if (object->type != OBJT_VNODE)
2734 vp = (struct vnode *)object->handle;
2735 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2736 result = vme->max_protection;
2737 mac_check_vnode_mmap_downgrade(cred, vp, &result);
2738 VOP_UNLOCK(vp, 0, td);
2740 * Find out what maximum protection we may be allowing
2741 * now but a policy needs to get removed.
2743 revokeperms = vme->max_protection & ~result;
2746 printf("pid %ld: revoking %s perms from %#lx:%ld "
2747 "(max %s/cur %s)\n", (long)td->td_proc->p_pid,
2748 prot2str(revokeperms), (u_long)vme->start,
2749 (long)(vme->end - vme->start),
2750 prot2str(vme->max_protection), prot2str(vme->protection));
2751 vm_map_lock_upgrade(map);
2753 * This is the really simple case: if a map has more
2754 * max_protection than is allowed, but it's not being
2755 * actually used (that is, the current protection is
2756 * still allowed), we can just wipe it out and do
2759 if ((vme->protection & revokeperms) == 0) {
2760 vme->max_protection -= revokeperms;
2762 if (revokeperms & VM_PROT_WRITE) {
2764 * In the more complicated case, flush out all
2765 * pending changes to the object then turn it
2768 vm_object_reference(object);
2769 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2770 vm_object_page_clean(object,
2772 OFF_TO_IDX(offset + vme->end - vme->start +
2775 VOP_UNLOCK(vp, 0, td);
2776 vm_object_deallocate(object);
2778 * Why bother if there's no read permissions
2779 * anymore? For the rest, we need to leave
2780 * the write permissions on for COW, or
2781 * remove them entirely if configured to.
2783 if (!mac_mmap_revocation_via_cow) {
2784 vme->max_protection &= ~VM_PROT_WRITE;
2785 vme->protection &= ~VM_PROT_WRITE;
2786 } if ((revokeperms & VM_PROT_READ) == 0)
2787 vme->eflags |= MAP_ENTRY_COW |
2788 MAP_ENTRY_NEEDS_COPY;
2790 if (revokeperms & VM_PROT_EXECUTE) {
2791 vme->max_protection &= ~VM_PROT_EXECUTE;
2792 vme->protection &= ~VM_PROT_EXECUTE;
2794 if (revokeperms & VM_PROT_READ) {
2795 vme->max_protection = 0;
2796 vme->protection = 0;
2798 pmap_protect(map->pmap, vme->start, vme->end,
2799 vme->protection & ~revokeperms);
2800 vm_map_simplify_entry(map, vme);
2802 vm_map_lock_downgrade(map);
2804 vm_map_unlock_read(map);
2808 * When the subject's label changes, it may require revocation of privilege
2809 * to mapped objects. This can't be done on-the-fly later with a unified
2813 mac_relabel_cred(struct ucred *cred, struct label *newlabel)
2816 MAC_PERFORM(relabel_cred, cred, newlabel);
2820 mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
2823 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
2827 mac_create_ifnet(struct ifnet *ifnet)
2830 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
2834 mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
2837 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
2841 mac_create_socket(struct ucred *cred, struct socket *socket)
2844 MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
2848 mac_create_pipe(struct ucred *cred, struct pipe *pipe)
2851 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label);
2855 mac_create_socket_from_socket(struct socket *oldsocket,
2856 struct socket *newsocket)
2859 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
2860 newsocket, &newsocket->so_label);
2864 mac_relabel_socket(struct ucred *cred, struct socket *socket,
2865 struct label *newlabel)
2868 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
2872 mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel)
2875 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel);
2879 mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
2882 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label,
2883 socket, &socket->so_peerlabel);
2887 mac_set_socket_peer_from_socket(struct socket *oldsocket,
2888 struct socket *newsocket)
2891 MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
2892 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
2896 mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
2899 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
2900 datagram, &datagram->m_pkthdr.label);
2904 mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
2907 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label,
2908 fragment, &fragment->m_pkthdr.label);
2912 mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
2915 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2920 mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2923 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label,
2924 newmbuf, &newmbuf->m_pkthdr.label);
2928 mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
2931 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
2932 &mbuf->m_pkthdr.label);
2936 mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
2939 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
2940 &mbuf->m_pkthdr.label);
2944 mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
2947 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
2948 &mbuf->m_pkthdr.label);
2952 mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
2953 struct mbuf *newmbuf)
2956 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf,
2957 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf,
2958 &newmbuf->m_pkthdr.label);
2962 mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2965 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label,
2966 newmbuf, &newmbuf->m_pkthdr.label);
2970 mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
2975 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label,
2976 ipq, &ipq->ipq_label);
2982 mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
2985 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2990 mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
2993 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
2994 &mbuf->m_pkthdr.label);
2998 mac_create_mount(struct ucred *cred, struct mount *mp)
3001 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
3006 mac_create_root_mount(struct ucred *cred, struct mount *mp)
3009 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
3014 mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
3018 if (!mac_enforce_network)
3021 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
3028 mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
3032 MAC_CHECK(check_cred_relabel, cred, newlabel);
3038 mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
3042 if (!mac_enforce_process)
3045 MAC_CHECK(check_cred_visible, u1, u2);
3051 mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
3055 if (!mac_enforce_network)
3058 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
3059 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
3060 if_printf(ifnet, "not initialized\n");
3062 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
3063 &mbuf->m_pkthdr.label);
3069 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
3073 if (!mac_enforce_fs)
3076 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
3082 mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
3087 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3089 if (!mac_enforce_pipe)
3092 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data);
3098 mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
3102 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3104 if (!mac_enforce_pipe)
3107 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
3113 mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
3117 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3119 if (!mac_enforce_pipe)
3122 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
3128 mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
3129 struct label *newlabel)
3133 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3135 if (!mac_enforce_pipe)
3138 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel);
3144 mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
3148 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3150 if (!mac_enforce_pipe)
3153 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
3159 mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
3163 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3165 if (!mac_enforce_pipe)
3168 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
3174 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
3178 PROC_LOCK_ASSERT(proc, MA_OWNED);
3180 if (!mac_enforce_process)
3183 MAC_CHECK(check_proc_debug, cred, proc);
3189 mac_check_proc_sched(struct ucred *cred, struct proc *proc)
3193 PROC_LOCK_ASSERT(proc, MA_OWNED);
3195 if (!mac_enforce_process)
3198 MAC_CHECK(check_proc_sched, cred, proc);
3204 mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
3208 PROC_LOCK_ASSERT(proc, MA_OWNED);
3210 if (!mac_enforce_process)
3213 MAC_CHECK(check_proc_signal, cred, proc, signum);
3219 mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
3220 struct sockaddr *sockaddr)
3224 if (!mac_enforce_socket)
3227 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
3234 mac_check_socket_connect(struct ucred *cred, struct socket *socket,
3235 struct sockaddr *sockaddr)
3239 if (!mac_enforce_socket)
3242 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
3249 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
3253 if (!mac_enforce_socket)
3256 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
3257 &mbuf->m_pkthdr.label);
3263 mac_check_socket_listen(struct ucred *cred, struct socket *socket)
3267 if (!mac_enforce_socket)
3270 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
3275 mac_check_socket_receive(struct ucred *cred, struct socket *so)
3279 if (!mac_enforce_socket)
3282 MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
3288 mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
3289 struct label *newlabel)
3293 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
3300 mac_check_socket_send(struct ucred *cred, struct socket *so)
3304 if (!mac_enforce_socket)
3307 MAC_CHECK(check_socket_send, cred, so, &so->so_label);
3313 mac_check_socket_visible(struct ucred *cred, struct socket *socket)
3317 if (!mac_enforce_socket)
3320 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
3326 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
3327 struct ifnet *ifnet)
3329 char *elements, *buffer;
3333 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac));
3337 error = mac_check_structmac_consistent(&mac);
3341 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3343 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
3345 free(elements, M_MACTEMP);
3349 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3351 error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
3352 buffer, mac.m_buflen, M_WAITOK);
3354 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
3356 free(buffer, M_MACTEMP);
3357 free(elements, M_MACTEMP);
3363 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
3364 struct ifnet *ifnet)
3366 struct label intlabel;
3371 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac));
3375 error = mac_check_structmac_consistent(&mac);
3379 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3381 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
3383 free(buffer, M_MACTEMP);
3387 mac_init_ifnet_label(&intlabel);
3388 error = mac_internalize_ifnet_label(&intlabel, buffer);
3389 free(buffer, M_MACTEMP);
3391 mac_destroy_ifnet_label(&intlabel);
3396 * XXX: Note that this is a redundant privilege check, since
3397 * policies impose this check themselves if required by the
3398 * policy. Eventually, this should go away.
3400 error = suser_cred(cred, 0);
3402 mac_destroy_ifnet_label(&intlabel);
3406 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
3409 mac_destroy_ifnet_label(&intlabel);
3413 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
3415 mac_destroy_ifnet_label(&intlabel);
3420 mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp)
3423 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label);
3427 mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
3430 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
3434 mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
3435 struct devfs_dirent *de)
3438 MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
3443 mac_stdcreatevnode_ea(struct vnode *vp)
3447 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label);
3453 mac_create_devfs_directory(char *dirname, int dirnamelen,
3454 struct devfs_dirent *de)
3457 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de,
3462 * When a new vnode is created, this call will initialize its label.
3465 mac_create_vnode(struct ucred *cred, struct vnode *parent,
3466 struct vnode *child)
3470 ASSERT_VOP_LOCKED(parent, "mac_create_vnode");
3471 ASSERT_VOP_LOCKED(child, "mac_create_vnode");
3473 error = vn_refreshlabel(parent, cred);
3475 printf("mac_create_vnode: vn_refreshlabel returned %d\n",
3477 printf("mac_create_vnode: using old vnode label\n");
3480 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child,
3485 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
3488 struct label intlabel;
3492 error = mac_check_structmac_consistent(mac);
3496 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
3498 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL);
3500 free(buffer, M_MACTEMP);
3504 mac_init_socket_label(&intlabel, M_WAITOK);
3505 error = mac_internalize_socket_label(&intlabel, buffer);
3506 free(buffer, M_MACTEMP);
3508 mac_destroy_socket_label(&intlabel);
3512 mac_check_socket_relabel(cred, so, &intlabel);
3514 mac_destroy_socket_label(&intlabel);
3518 mac_relabel_socket(cred, so, &intlabel);
3520 mac_destroy_socket_label(&intlabel);
3525 mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label)
3529 PIPE_LOCK_ASSERT(pipe, MA_OWNED);
3531 error = mac_check_pipe_relabel(cred, pipe, label);
3535 mac_relabel_pipe(cred, pipe, label);
3541 mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
3544 char *buffer, *elements;
3547 error = mac_check_structmac_consistent(mac);
3551 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
3553 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
3555 free(elements, M_MACTEMP);
3559 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3561 error = mac_externalize_socket_label(&so->so_label, elements,
3562 buffer, mac->m_buflen, M_WAITOK);
3564 error = copyout(buffer, mac->m_string, strlen(buffer)+1);
3566 free(buffer, M_MACTEMP);
3567 free(elements, M_MACTEMP);
3573 mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
3576 char *elements, *buffer;
3579 error = mac_check_structmac_consistent(mac);
3583 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
3585 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
3587 free(elements, M_MACTEMP);
3591 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3593 error = mac_externalize_socket_peer_label(&so->so_peerlabel,
3594 elements, buffer, mac->m_buflen, M_WAITOK);
3596 error = copyout(buffer, mac->m_string, strlen(buffer)+1);
3598 free(buffer, M_MACTEMP);
3599 free(elements, M_MACTEMP);
3605 * Implementation of VOP_SETLABEL() that relies on extended attributes
3606 * to store label data. Can be referenced by filesystems supporting
3607 * extended attributes.
3610 vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
3612 struct vnode *vp = ap->a_vp;
3613 struct label *intlabel = ap->a_label;
3614 struct oldmac extmac;
3617 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
3620 * XXX: Eventually call out to EA check/set calls here.
3621 * Be particularly careful to avoid race conditions,
3622 * consistency problems, and stability problems when
3623 * dealing with multiple EAs. In particular, we require
3624 * the ability to write multiple EAs on the same file in
3625 * a single transaction, which the current EA interface
3629 error = mac_externalize_vnode_oldmac(intlabel, &extmac);
3633 error = vn_extattr_set(vp, IO_NODELOCKED,
3634 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
3635 sizeof(extmac), (char *)&extmac, curthread);
3639 mac_relabel_vnode(ap->a_cred, vp, intlabel);
3641 vp->v_vflag |= VV_CACHEDLABEL;
3647 vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
3651 if (vp->v_mount == NULL) {
3652 /* printf("vn_setlabel: null v_mount\n"); */
3653 if (vp->v_type != VNON)
3654 printf("vn_setlabel: null v_mount with non-VNON\n");
3658 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
3659 return (EOPNOTSUPP);
3662 * Multi-phase commit. First check the policies to confirm the
3663 * change is OK. Then commit via the filesystem. Finally,
3664 * update the actual vnode label. Question: maybe the filesystem
3665 * should update the vnode at the end as part of VOP_SETLABEL()?
3667 error = mac_check_vnode_relabel(cred, vp, intlabel);
3672 * VADMIN provides the opportunity for the filesystem to make
3673 * decisions about who is and is not able to modify labels
3674 * and protections on files. This might not be right. We can't
3675 * assume VOP_SETLABEL() will do it, because we might implement
3676 * that as part of vop_stdsetlabel_ea().
3678 error = VOP_ACCESS(vp, VADMIN, cred, curthread);
3682 error = VOP_SETLABEL(vp, intlabel, cred, curthread);
3690 __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
3692 char *elements, *buffer;
3695 struct ucred *tcred;
3698 error = copyin(SCARG(uap, mac_p), &mac, sizeof(mac));
3702 error = mac_check_structmac_consistent(&mac);
3706 tproc = pfind(uap->pid);
3710 tcred = NULL; /* Satisfy gcc. */
3711 error = p_cansee(td, tproc);
3713 tcred = crhold(tproc->p_ucred);
3718 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3720 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
3722 free(elements, M_MACTEMP);
3727 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3729 error = mac_externalize_cred_label(&tcred->cr_label, elements,
3730 buffer, mac.m_buflen, M_WAITOK);
3732 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
3734 free(buffer, M_MACTEMP);
3735 free(elements, M_MACTEMP);
3744 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
3746 char *elements, *buffer;
3750 error = copyin(uap->mac_p, &mac, sizeof(mac));
3754 error = mac_check_structmac_consistent(&mac);
3758 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3760 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
3762 free(elements, M_MACTEMP);
3766 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3768 error = mac_externalize_cred_label(&td->td_ucred->cr_label,
3769 elements, buffer, mac.m_buflen, M_WAITOK);
3771 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
3773 free(buffer, M_MACTEMP);
3774 free(elements, M_MACTEMP);
3782 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3784 struct ucred *newcred, *oldcred;
3785 struct label intlabel;
3791 error = copyin(uap->mac_p, &mac, sizeof(mac));
3795 error = mac_check_structmac_consistent(&mac);
3799 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3801 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
3803 free(buffer, M_MACTEMP);
3807 mac_init_cred_label(&intlabel);
3808 error = mac_internalize_cred_label(&intlabel, buffer);
3809 free(buffer, M_MACTEMP);
3811 mac_destroy_cred_label(&intlabel);
3819 oldcred = p->p_ucred;
3821 error = mac_check_cred_relabel(oldcred, &intlabel);
3829 crcopy(newcred, oldcred);
3830 mac_relabel_cred(newcred, &intlabel);
3831 p->p_ucred = newcred;
3834 * Grab additional reference for use while revoking mmaps, prior
3835 * to releasing the proc lock and sharing the cred.
3840 if (mac_enforce_vm) {
3842 mac_cred_mmapped_drop_perms(td, newcred);
3846 crfree(newcred); /* Free revocation reference. */
3850 mac_destroy_cred_label(&intlabel);
3858 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3860 char *elements, *buffer;
3861 struct label intlabel;
3869 error = copyin(uap->mac_p, &mac, sizeof(mac));
3873 error = mac_check_structmac_consistent(&mac);
3877 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3879 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
3881 free(elements, M_MACTEMP);
3885 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3887 mtx_lock(&Giant); /* VFS */
3888 error = fget(td, SCARG(uap, fd), &fp);
3892 label_type = fp->f_type;
3893 switch (fp->f_type) {
3896 vp = (struct vnode *)fp->f_data;
3898 mac_init_vnode_label(&intlabel);
3900 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3901 error = vn_refreshlabel(vp, td->td_ucred);
3903 mac_copy_vnode_label(&vp->v_label, &intlabel);
3904 VOP_UNLOCK(vp, 0, td);
3908 pipe = (struct pipe *)fp->f_data;
3910 mac_init_pipe_label(&intlabel);
3913 mac_copy_pipe_label(pipe->pipe_label, &intlabel);
3923 switch (label_type) {
3927 error = mac_externalize_vnode_label(&intlabel,
3928 elements, buffer, mac.m_buflen, M_WAITOK);
3929 mac_destroy_vnode_label(&intlabel);
3932 error = mac_externalize_pipe_label(&intlabel, elements,
3933 buffer, mac.m_buflen, M_WAITOK);
3934 mac_destroy_pipe_label(&intlabel);
3937 panic("__mac_get_fd: corrupted label_type");
3941 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
3944 mtx_unlock(&Giant); /* VFS */
3945 free(buffer, M_MACTEMP);
3946 free(elements, M_MACTEMP);
3955 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3957 char *elements, *buffer;
3958 struct nameidata nd;
3959 struct label intlabel;
3963 error = copyin(uap->mac_p, &mac, sizeof(mac));
3967 error = mac_check_structmac_consistent(&mac);
3971 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
3973 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
3975 free(elements, M_MACTEMP);
3979 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
3981 mtx_lock(&Giant); /* VFS */
3982 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
3988 mac_init_vnode_label(&intlabel);
3989 error = vn_refreshlabel(nd.ni_vp, td->td_ucred);
3991 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
3993 error = mac_externalize_vnode_label(&intlabel, elements,
3994 buffer, mac.m_buflen, M_WAITOK);
3997 mac_destroy_vnode_label(&intlabel);
4000 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
4003 mtx_unlock(&Giant); /* VFS */
4005 free(buffer, M_MACTEMP);
4006 free(elements, M_MACTEMP);
4015 __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
4017 char *elements, *buffer;
4018 struct nameidata nd;
4019 struct label intlabel;
4023 error = copyin(uap->mac_p, &mac, sizeof(mac));
4027 error = mac_check_structmac_consistent(&mac);
4031 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
4033 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
4035 free(elements, M_MACTEMP);
4039 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
4041 mtx_lock(&Giant); /* VFS */
4042 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
4048 mac_init_vnode_label(&intlabel);
4049 error = vn_refreshlabel(nd.ni_vp, td->td_ucred);
4051 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
4053 error = mac_externalize_vnode_label(&intlabel, elements,
4054 buffer, mac.m_buflen, M_WAITOK);
4056 mac_destroy_vnode_label(&intlabel);
4059 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
4062 mtx_unlock(&Giant); /* VFS */
4064 free(buffer, M_MACTEMP);
4065 free(elements, M_MACTEMP);
4074 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
4076 struct label intlabel;
4085 error = copyin(uap->mac_p, &mac, sizeof(mac));
4089 error = mac_check_structmac_consistent(&mac);
4093 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
4095 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
4097 free(buffer, M_MACTEMP);
4101 mtx_lock(&Giant); /* VFS */
4103 error = fget(td, SCARG(uap, fd), &fp);
4107 switch (fp->f_type) {
4110 mac_init_vnode_label(&intlabel);
4111 error = mac_internalize_vnode_label(&intlabel, buffer);
4113 mac_destroy_vnode_label(&intlabel);
4117 vp = (struct vnode *)fp->f_data;
4118 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
4120 mac_destroy_vnode_label(&intlabel);
4124 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
4125 error = vn_setlabel(vp, &intlabel, td->td_ucred);
4126 VOP_UNLOCK(vp, 0, td);
4127 vn_finished_write(mp);
4129 mac_destroy_vnode_label(&intlabel);
4133 mac_init_pipe_label(&intlabel);
4134 error = mac_internalize_pipe_label(&intlabel, buffer);
4136 pipe = (struct pipe *)fp->f_data;
4138 error = mac_pipe_label_set(td->td_ucred, pipe,
4143 mac_destroy_pipe_label(&intlabel);
4152 mtx_unlock(&Giant); /* VFS */
4154 free(buffer, M_MACTEMP);
4163 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
4165 struct label intlabel;
4166 struct nameidata nd;
4172 error = copyin(uap->mac_p, &mac, sizeof(mac));
4176 error = mac_check_structmac_consistent(&mac);
4180 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
4182 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
4184 free(buffer, M_MACTEMP);
4188 mac_init_vnode_label(&intlabel);
4189 error = mac_internalize_vnode_label(&intlabel, buffer);
4190 free(buffer, M_MACTEMP);
4192 mac_destroy_vnode_label(&intlabel);
4196 mtx_lock(&Giant); /* VFS */
4198 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
4202 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
4204 error = vn_setlabel(nd.ni_vp, &intlabel,
4206 vn_finished_write(mp);
4210 mtx_unlock(&Giant); /* VFS */
4211 mac_destroy_vnode_label(&intlabel);
4220 __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
4222 struct label intlabel;
4223 struct nameidata nd;
4229 error = copyin(uap->mac_p, &mac, sizeof(mac));
4233 error = mac_check_structmac_consistent(&mac);
4237 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
4239 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
4241 free(buffer, M_MACTEMP);
4245 mac_init_vnode_label(&intlabel);
4246 error = mac_internalize_vnode_label(&intlabel, buffer);
4247 free(buffer, M_MACTEMP);
4249 mac_destroy_vnode_label(&intlabel);
4253 mtx_lock(&Giant); /* VFS */
4255 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
4259 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
4261 error = vn_setlabel(nd.ni_vp, &intlabel,
4263 vn_finished_write(mp);
4267 mtx_unlock(&Giant); /* VFS */
4268 mac_destroy_vnode_label(&intlabel);
4277 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
4279 struct mac_policy_conf *mpc;
4280 char target[MAC_MAX_POLICY_NAME];
4283 error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL);
4288 MAC_POLICY_LIST_BUSY();
4289 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
4290 if (strcmp(mpc->mpc_name, target) == 0 &&
4291 mpc->mpc_ops->mpo_syscall != NULL) {
4292 error = mpc->mpc_ops->mpo_syscall(td,
4293 SCARG(uap, call), SCARG(uap, arg));
4299 MAC_POLICY_LIST_UNBUSY();
4303 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
4304 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
4309 __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
4316 __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
4323 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
4330 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
4337 __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
4344 __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
4351 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
4358 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
4365 __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
4372 mac_syscall(struct thread *td, struct mac_syscall_args *uap)
projects / FreeBSD / FreeBSD.git / blob