2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
9 * the Security Research Division of Network Associates, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. The names of the authors may not be used to endorse or promote
22 * products derived from this software without specific prior written
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 * Developed by the TrustedBSD Project.
42 * Biba fixed label mandatory integrity policy.
45 #include <sys/types.h>
46 #include <sys/param.h>
49 #include <sys/kernel.h>
51 #include <sys/malloc.h>
52 #include <sys/mount.h>
54 #include <sys/systm.h>
55 #include <sys/sysproto.h>
56 #include <sys/sysent.h>
57 #include <sys/vnode.h>
59 #include <sys/socket.h>
60 #include <sys/socketvar.h>
62 #include <sys/sysctl.h>
64 #include <fs/devfs/devfs.h>
66 #include <net/bpfdesc.h>
68 #include <net/if_types.h>
69 #include <net/if_var.h>
71 #include <netinet/in.h>
72 #include <netinet/ip_var.h>
76 #include <sys/mac_policy.h>
78 #include <security/mac_biba/mac_biba.h>
80 SYSCTL_DECL(_security_mac);
82 SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
83 "TrustedBSD mac_biba policy controls");
85 static int mac_biba_enabled = 0;
86 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW,
87 &mac_biba_enabled, 0, "Enforce MAC/Biba policy");
88 TUNABLE_INT("security.mac.biba.enabled", &mac_biba_enabled);
90 static int destroyed_not_inited;
91 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
92 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
94 static int trust_all_interfaces = 0;
95 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
96 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
97 TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
99 static char trusted_interfaces[128];
100 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
101 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
102 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
103 sizeof(trusted_interfaces));
105 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
106 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
107 &max_compartments, 0, "Maximum supported compartments");
109 static int ptys_equal = 0;
110 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW,
111 &ptys_equal, 0, "Label pty devices as biba/equal on create");
112 TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
114 static int revocation_enabled = 0;
115 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
116 &revocation_enabled, 0, "Revoke access to objects on relabel");
117 TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
119 static int mac_biba_slot;
120 #define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr)
122 MALLOC_DEFINE(M_MACBIBA, "biba label", "MAC/Biba labels");
125 biba_bit_set_empty(u_char *set) {
128 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
134 static struct mac_biba *
137 struct mac_biba *mac_biba;
139 mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
145 biba_free(struct mac_biba *mac_biba)
148 if (mac_biba != NULL)
149 free(mac_biba, M_MACBIBA);
151 atomic_add_int(&destroyed_not_inited, 1);
155 biba_atmostflags(struct mac_biba *mac_biba, int flags)
158 if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags)
164 mac_biba_dominate_element(struct mac_biba_element *a,
165 struct mac_biba_element *b)
169 switch(a->mbe_type) {
170 case MAC_BIBA_TYPE_EQUAL:
171 case MAC_BIBA_TYPE_HIGH:
174 case MAC_BIBA_TYPE_LOW:
175 switch (b->mbe_type) {
176 case MAC_BIBA_TYPE_GRADE:
177 case MAC_BIBA_TYPE_HIGH:
180 case MAC_BIBA_TYPE_EQUAL:
181 case MAC_BIBA_TYPE_LOW:
185 panic("mac_biba_dominate_element: b->mbe_type invalid");
188 case MAC_BIBA_TYPE_GRADE:
189 switch (b->mbe_type) {
190 case MAC_BIBA_TYPE_EQUAL:
191 case MAC_BIBA_TYPE_LOW:
194 case MAC_BIBA_TYPE_HIGH:
197 case MAC_BIBA_TYPE_GRADE:
198 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
199 if (!MAC_BIBA_BIT_TEST(bit,
200 a->mbe_compartments) &&
201 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
203 return (a->mbe_grade >= b->mbe_grade);
206 panic("mac_biba_dominate_element: b->mbe_type invalid");
210 panic("mac_biba_dominate_element: a->mbe_type invalid");
217 mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
220 return (mac_biba_dominate_element(&rangeb->mb_rangehigh,
221 &rangea->mb_rangehigh) &&
222 mac_biba_dominate_element(&rangea->mb_rangelow,
223 &rangeb->mb_rangelow));
227 mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range)
230 KASSERT((single->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
231 ("mac_biba_single_in_range: a not single"));
232 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
233 ("mac_biba_single_in_range: b not range"));
235 return (mac_biba_dominate_element(&range->mb_rangehigh,
236 &single->mb_single) &&
237 mac_biba_dominate_element(&single->mb_single,
238 &range->mb_rangelow));
244 mac_biba_dominate_single(struct mac_biba *a, struct mac_biba *b)
246 KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
247 ("mac_biba_dominate_single: a not single"));
248 KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
249 ("mac_biba_dominate_single: b not single"));
251 return (mac_biba_dominate_element(&a->mb_single, &b->mb_single));
255 mac_biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
258 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
259 b->mbe_type == MAC_BIBA_TYPE_EQUAL)
262 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
266 mac_biba_equal_single(struct mac_biba *a, struct mac_biba *b)
269 KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
270 ("mac_biba_equal_single: a not single"));
271 KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
272 ("mac_biba_equal_single: b not single"));
274 return (mac_biba_equal_element(&a->mb_single, &b->mb_single));
278 mac_biba_contains_equal(struct mac_biba *mac_biba)
281 if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE)
282 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
285 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
286 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
288 if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
296 mac_biba_subject_equal_ok(struct mac_biba *mac_biba)
299 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
301 ("mac_biba_subject_equal_ok: subject doesn't have both labels"));
303 /* If the single is EQUAL, it's ok. */
304 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
307 /* If either range endpoint is EQUAL, it's ok. */
308 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
309 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
312 /* If the range is low-high, it's ok. */
313 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
314 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
322 mac_biba_valid(struct mac_biba *mac_biba)
325 if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
326 switch (mac_biba->mb_single.mbe_type) {
327 case MAC_BIBA_TYPE_GRADE:
330 case MAC_BIBA_TYPE_EQUAL:
331 case MAC_BIBA_TYPE_HIGH:
332 case MAC_BIBA_TYPE_LOW:
333 if (mac_biba->mb_single.mbe_grade != 0 ||
334 !MAC_BIBA_BIT_SET_EMPTY(
335 mac_biba->mb_single.mbe_compartments))
343 if (mac_biba->mb_single.mbe_type != MAC_BIBA_TYPE_UNDEF)
347 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
348 switch (mac_biba->mb_rangelow.mbe_type) {
349 case MAC_BIBA_TYPE_GRADE:
352 case MAC_BIBA_TYPE_EQUAL:
353 case MAC_BIBA_TYPE_HIGH:
354 case MAC_BIBA_TYPE_LOW:
355 if (mac_biba->mb_rangelow.mbe_grade != 0 ||
356 !MAC_BIBA_BIT_SET_EMPTY(
357 mac_biba->mb_rangelow.mbe_compartments))
365 switch (mac_biba->mb_rangehigh.mbe_type) {
366 case MAC_BIBA_TYPE_GRADE:
369 case MAC_BIBA_TYPE_EQUAL:
370 case MAC_BIBA_TYPE_HIGH:
371 case MAC_BIBA_TYPE_LOW:
372 if (mac_biba->mb_rangehigh.mbe_grade != 0 ||
373 !MAC_BIBA_BIT_SET_EMPTY(
374 mac_biba->mb_rangehigh.mbe_compartments))
381 if (!mac_biba_dominate_element(&mac_biba->mb_rangehigh,
382 &mac_biba->mb_rangelow))
385 if (mac_biba->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
386 mac_biba->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
394 mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow,
395 u_short gradelow, u_char *compartmentslow, u_short typehigh,
396 u_short gradehigh, u_char *compartmentshigh)
399 mac_biba->mb_rangelow.mbe_type = typelow;
400 mac_biba->mb_rangelow.mbe_grade = gradelow;
401 if (compartmentslow != NULL)
402 memcpy(mac_biba->mb_rangelow.mbe_compartments,
404 sizeof(mac_biba->mb_rangelow.mbe_compartments));
405 mac_biba->mb_rangehigh.mbe_type = typehigh;
406 mac_biba->mb_rangehigh.mbe_grade = gradehigh;
407 if (compartmentshigh != NULL)
408 memcpy(mac_biba->mb_rangehigh.mbe_compartments,
410 sizeof(mac_biba->mb_rangehigh.mbe_compartments));
411 mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
415 mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade,
416 u_char *compartments)
419 mac_biba->mb_single.mbe_type = type;
420 mac_biba->mb_single.mbe_grade = grade;
421 if (compartments != NULL)
422 memcpy(mac_biba->mb_single.mbe_compartments, compartments,
423 sizeof(mac_biba->mb_single.mbe_compartments));
424 mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
428 mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
431 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
432 ("mac_biba_copy_range: labelfrom not range"));
434 labelto->mb_rangelow = labelfrom->mb_rangelow;
435 labelto->mb_rangehigh = labelfrom->mb_rangehigh;
436 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
440 mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
443 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
444 ("mac_biba_copy_single: labelfrom not single"));
446 labelto->mb_single = labelfrom->mb_single;
447 labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
451 mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
454 if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
455 mac_biba_copy_single(source, dest);
456 if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
457 mac_biba_copy_range(source, dest);
461 * Policy module operations.
464 mac_biba_destroy(struct mac_policy_conf *conf)
470 mac_biba_init(struct mac_policy_conf *conf)
479 mac_biba_init_label(struct label *label)
482 SLOT(label) = biba_alloc(M_WAITOK);
486 mac_biba_init_label_waitcheck(struct label *label, int flag)
489 SLOT(label) = biba_alloc(flag);
490 if (SLOT(label) == NULL)
497 mac_biba_destroy_label(struct label *label)
500 biba_free(SLOT(label));
505 mac_biba_externalize(struct label *label, struct mac *extmac)
507 struct mac_biba *mac_biba;
509 mac_biba = SLOT(label);
511 if (mac_biba == NULL) {
512 printf("mac_biba_externalize: NULL pointer\n");
516 extmac->m_biba = *mac_biba;
522 mac_biba_internalize(struct label *label, struct mac *extmac)
524 struct mac_biba *mac_biba;
527 mac_biba = SLOT(label);
529 error = mac_biba_valid(mac_biba);
533 *mac_biba = extmac->m_biba;
539 * Labeling event operations: file system objects, and things that look
540 * a lot like file system objects.
543 mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
546 struct mac_biba *mac_biba;
549 mac_biba = SLOT(label);
550 if (strcmp(dev->si_name, "null") == 0 ||
551 strcmp(dev->si_name, "zero") == 0 ||
552 strcmp(dev->si_name, "random") == 0 ||
553 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
554 biba_type = MAC_BIBA_TYPE_EQUAL;
555 else if (ptys_equal &&
556 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
557 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
558 biba_type = MAC_BIBA_TYPE_EQUAL;
560 biba_type = MAC_BIBA_TYPE_HIGH;
561 mac_biba_set_single(mac_biba, biba_type, 0, NULL);
565 mac_biba_create_devfs_directory(char *dirname, int dirnamelen,
566 struct devfs_dirent *devfs_dirent, struct label *label)
568 struct mac_biba *mac_biba;
570 mac_biba = SLOT(label);
571 mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
575 mac_biba_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
576 struct label *ddlabel, struct devfs_dirent *de, struct label *delabel)
578 struct mac_biba *source, *dest;
580 source = SLOT(&cred->cr_label);
581 dest = SLOT(delabel);
583 mac_biba_copy_single(source, dest);
587 mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
588 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
590 struct mac_biba *source, *dest;
592 source = SLOT(direntlabel);
593 dest = SLOT(vnodelabel);
594 mac_biba_copy_single(source, dest);
598 mac_biba_create_vnode(struct ucred *cred, struct vnode *parent,
599 struct label *parentlabel, struct vnode *child, struct label *childlabel)
601 struct mac_biba *source, *dest;
603 source = SLOT(&cred->cr_label);
604 dest = SLOT(childlabel);
606 mac_biba_copy_single(source, dest);
610 mac_biba_create_mount(struct ucred *cred, struct mount *mp,
611 struct label *mntlabel, struct label *fslabel)
613 struct mac_biba *source, *dest;
615 source = SLOT(&cred->cr_label);
616 dest = SLOT(mntlabel);
617 mac_biba_copy_single(source, dest);
618 dest = SLOT(fslabel);
619 mac_biba_copy_single(source, dest);
623 mac_biba_create_root_mount(struct ucred *cred, struct mount *mp,
624 struct label *mntlabel, struct label *fslabel)
626 struct mac_biba *mac_biba;
628 /* Always mount root as high integrity. */
629 mac_biba = SLOT(fslabel);
630 mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
631 mac_biba = SLOT(mntlabel);
632 mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
636 mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
637 struct label *vnodelabel, struct label *label)
639 struct mac_biba *source, *dest;
641 source = SLOT(label);
642 dest = SLOT(vnodelabel);
644 mac_biba_copy(source, dest);
648 mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent,
649 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
651 struct mac_biba *source, *dest;
653 source = SLOT(vnodelabel);
654 dest = SLOT(direntlabel);
656 mac_biba_copy(source, dest);
660 mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
663 struct mac_biba *source, *dest;
665 source = SLOT(&cred->cr_label);
666 dest = SLOT(vnodelabel);
669 * Only copy the single, not the range, since vnodes only have
672 mac_biba_copy_single(source, dest);
676 mac_biba_update_vnode_from_externalized(struct vnode *vp,
677 struct label *vnodelabel, struct mac *extmac)
679 struct mac_biba *source, *dest;
682 source = &extmac->m_biba;
683 dest = SLOT(vnodelabel);
685 error = mac_biba_valid(source);
689 if ((source->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
692 mac_biba_copy_single(source, dest);
698 mac_biba_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
699 struct mount *mp, struct label *fslabel)
701 struct mac_biba *source, *dest;
703 source = SLOT(fslabel);
704 dest = SLOT(vnodelabel);
706 mac_biba_copy_single(source, dest);
710 * Labeling event operations: IPC object.
713 mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
714 struct mbuf *m, struct label *mbuflabel)
716 struct mac_biba *source, *dest;
718 source = SLOT(socketlabel);
719 dest = SLOT(mbuflabel);
721 mac_biba_copy_single(source, dest);
725 mac_biba_create_socket(struct ucred *cred, struct socket *socket,
726 struct label *socketlabel)
728 struct mac_biba *source, *dest;
730 source = SLOT(&cred->cr_label);
731 dest = SLOT(socketlabel);
733 mac_biba_copy_single(source, dest);
737 mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe,
738 struct label *pipelabel)
740 struct mac_biba *source, *dest;
742 source = SLOT(&cred->cr_label);
743 dest = SLOT(pipelabel);
745 mac_biba_copy_single(source, dest);
749 mac_biba_create_socket_from_socket(struct socket *oldsocket,
750 struct label *oldsocketlabel, struct socket *newsocket,
751 struct label *newsocketlabel)
753 struct mac_biba *source, *dest;
755 source = SLOT(oldsocketlabel);
756 dest = SLOT(newsocketlabel);
758 mac_biba_copy_single(source, dest);
762 mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
763 struct label *socketlabel, struct label *newlabel)
765 struct mac_biba *source, *dest;
767 source = SLOT(newlabel);
768 dest = SLOT(socketlabel);
770 mac_biba_copy(source, dest);
774 mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe,
775 struct label *pipelabel, struct label *newlabel)
777 struct mac_biba *source, *dest;
779 source = SLOT(newlabel);
780 dest = SLOT(pipelabel);
782 mac_biba_copy(source, dest);
786 mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
787 struct socket *socket, struct label *socketpeerlabel)
789 struct mac_biba *source, *dest;
791 source = SLOT(mbuflabel);
792 dest = SLOT(socketpeerlabel);
794 mac_biba_copy_single(source, dest);
798 * Labeling event operations: network objects.
801 mac_biba_set_socket_peer_from_socket(struct socket *oldsocket,
802 struct label *oldsocketlabel, struct socket *newsocket,
803 struct label *newsocketpeerlabel)
805 struct mac_biba *source, *dest;
807 source = SLOT(oldsocketlabel);
808 dest = SLOT(newsocketpeerlabel);
810 mac_biba_copy_single(source, dest);
814 mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
815 struct label *bpflabel)
817 struct mac_biba *source, *dest;
819 source = SLOT(&cred->cr_label);
820 dest = SLOT(bpflabel);
822 mac_biba_copy_single(source, dest);
826 mac_biba_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
828 char tifname[IFNAMSIZ], ifname[IFNAMSIZ], *p, *q;
829 char tiflist[sizeof(trusted_interfaces)];
830 struct mac_biba *dest;
833 dest = SLOT(ifnetlabel);
835 if (ifnet->if_type == IFT_LOOP) {
836 grade = MAC_BIBA_TYPE_EQUAL;
840 if (trust_all_interfaces) {
841 grade = MAC_BIBA_TYPE_HIGH;
845 grade = MAC_BIBA_TYPE_LOW;
847 if (trusted_interfaces[0] == '\0' ||
848 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
851 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
852 if(*p != ' ' && *p != '\t')
855 snprintf(ifname, IFNAMSIZ, "%s%d", ifnet->if_name, ifnet->if_unit);
857 for (p = q = tiflist;; p++) {
858 if (*p == ',' || *p == '\0') {
860 if (len < IFNAMSIZ) {
861 bzero(tifname, sizeof(tifname));
862 bcopy(q, tifname, len);
863 if (strcmp(tifname, ifname) == 0) {
864 grade = MAC_BIBA_TYPE_HIGH;
874 mac_biba_set_single(dest, grade, 0, NULL);
875 mac_biba_set_range(dest, grade, 0, NULL, grade, 0, NULL);
879 mac_biba_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
880 struct ipq *ipq, struct label *ipqlabel)
882 struct mac_biba *source, *dest;
884 source = SLOT(fragmentlabel);
885 dest = SLOT(ipqlabel);
887 mac_biba_copy_single(source, dest);
891 mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
892 struct mbuf *datagram, struct label *datagramlabel)
894 struct mac_biba *source, *dest;
896 source = SLOT(ipqlabel);
897 dest = SLOT(datagramlabel);
899 /* Just use the head, since we require them all to match. */
900 mac_biba_copy_single(source, dest);
904 mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
905 struct mbuf *fragment, struct label *fragmentlabel)
907 struct mac_biba *source, *dest;
909 source = SLOT(datagramlabel);
910 dest = SLOT(fragmentlabel);
912 mac_biba_copy_single(source, dest);
916 mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
917 struct label *oldmbuflabel, struct mbuf *newmbuf,
918 struct label *newmbuflabel)
920 struct mac_biba *source, *dest;
922 source = SLOT(oldmbuflabel);
923 dest = SLOT(newmbuflabel);
926 * Because the source mbuf may not yet have been "created",
927 * just initialiezd, we do a conditional copy. Since we don't
928 * allow mbufs to have ranges, do a KASSERT to make sure that
931 KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0,
932 ("mac_biba_create_mbuf_from_mbuf: source mbuf has range"));
933 mac_biba_copy(source, dest);
937 mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
938 struct mbuf *mbuf, struct label *mbuflabel)
940 struct mac_biba *dest;
942 dest = SLOT(mbuflabel);
944 mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
948 mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
949 struct mbuf *mbuf, struct label *mbuflabel)
951 struct mac_biba *source, *dest;
953 source = SLOT(bpflabel);
954 dest = SLOT(mbuflabel);
956 mac_biba_copy_single(source, dest);
960 mac_biba_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
961 struct mbuf *m, struct label *mbuflabel)
963 struct mac_biba *source, *dest;
965 source = SLOT(ifnetlabel);
966 dest = SLOT(mbuflabel);
968 mac_biba_copy_single(source, dest);
972 mac_biba_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
973 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
974 struct mbuf *newmbuf, struct label *newmbuflabel)
976 struct mac_biba *source, *dest;
978 source = SLOT(oldmbuflabel);
979 dest = SLOT(newmbuflabel);
981 mac_biba_copy_single(source, dest);
985 mac_biba_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
986 struct mbuf *newmbuf, struct label *newmbuflabel)
988 struct mac_biba *source, *dest;
990 source = SLOT(oldmbuflabel);
991 dest = SLOT(newmbuflabel);
993 mac_biba_copy_single(source, dest);
997 mac_biba_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
998 struct ipq *ipq, struct label *ipqlabel)
1000 struct mac_biba *a, *b;
1003 b = SLOT(fragmentlabel);
1005 return (mac_biba_equal_single(a, b));
1009 mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1010 struct label *ifnetlabel, struct label *newlabel)
1012 struct mac_biba *source, *dest;
1014 source = SLOT(newlabel);
1015 dest = SLOT(ifnetlabel);
1017 mac_biba_copy(source, dest);
1021 mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1022 struct ipq *ipq, struct label *ipqlabel)
1025 /* NOOP: we only accept matching labels, so no need to update */
1029 * Labeling event operations: processes.
1032 mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
1034 struct mac_biba *source, *dest;
1036 source = SLOT(&cred_parent->cr_label);
1037 dest = SLOT(&cred_child->cr_label);
1039 mac_biba_copy_single(source, dest);
1040 mac_biba_copy_range(source, dest);
1044 mac_biba_execve_transition(struct ucred *old, struct ucred *new,
1045 struct vnode *vp, struct mac *vnodelabel)
1047 struct mac_biba *source, *dest;
1049 source = SLOT(&old->cr_label);
1050 dest = SLOT(&new->cr_label);
1052 mac_biba_copy_single(source, dest);
1053 mac_biba_copy_range(source, dest);
1057 mac_biba_execve_will_transition(struct ucred *old, struct vnode *vp,
1058 struct mac *vnodelabel)
1065 mac_biba_create_proc0(struct ucred *cred)
1067 struct mac_biba *dest;
1069 dest = SLOT(&cred->cr_label);
1071 mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1072 mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
1073 MAC_BIBA_TYPE_HIGH, 0, NULL);
1077 mac_biba_create_proc1(struct ucred *cred)
1079 struct mac_biba *dest;
1081 dest = SLOT(&cred->cr_label);
1083 mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
1084 mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
1085 MAC_BIBA_TYPE_HIGH, 0, NULL);
1089 mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel)
1091 struct mac_biba *source, *dest;
1093 source = SLOT(newlabel);
1094 dest = SLOT(&cred->cr_label);
1096 mac_biba_copy(source, dest);
1100 * Access control checks.
1103 mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1104 struct ifnet *ifnet, struct label *ifnetlabel)
1106 struct mac_biba *a, *b;
1108 if (!mac_biba_enabled)
1112 b = SLOT(ifnetlabel);
1114 if (mac_biba_equal_single(a, b))
1120 mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1122 struct mac_biba *subj, *new;
1125 subj = SLOT(&cred->cr_label);
1126 new = SLOT(newlabel);
1129 * If there is a Biba label update for the credential, it may
1130 * be an update of the single, range, or both.
1132 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1137 * If the Biba label is to be changed, authorize as appropriate.
1139 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
1141 * To change the Biba single label on a credential, the
1142 * new single label must be in the current range.
1144 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
1145 !mac_biba_single_in_range(new, subj))
1149 * To change the Biba range on a credential, the new
1150 * range label must be in the current range.
1152 if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
1153 !mac_biba_range_in_range(new, subj))
1157 * To have EQUAL in any component of the new credential
1158 * Biba label, the subject must already have EQUAL in
1161 if (mac_biba_contains_equal(new)) {
1162 error = mac_biba_subject_equal_ok(subj);
1168 * XXXMAC: Additional consistency tests regarding the
1169 * single and range of the new label might be performed
1178 mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
1180 struct mac_biba *subj, *obj;
1182 if (!mac_biba_enabled)
1185 subj = SLOT(&u1->cr_label);
1186 obj = SLOT(&u2->cr_label);
1189 if (!mac_biba_dominate_single(obj, subj))
1196 mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1197 struct label *ifnetlabel, struct label *newlabel)
1199 struct mac_biba *subj, *new;
1202 subj = SLOT(&cred->cr_label);
1203 new = SLOT(newlabel);
1206 * If there is a Biba label update for the interface, it may
1207 * be an update of the single, range, or both.
1209 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1214 * If the Biba label is to be changed, authorize as appropriate.
1216 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
1218 * Rely on the traditional superuser status for the Biba
1219 * interface relabel requirements. XXXMAC: This will go
1222 error = suser_cred(cred, 0);
1227 * XXXMAC: Additional consistency tests regarding the single
1228 * and the range of the new label might be performed here.
1236 mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1237 struct mbuf *m, struct label *mbuflabel)
1239 struct mac_biba *p, *i;
1241 if (!mac_biba_enabled)
1244 p = SLOT(mbuflabel);
1245 i = SLOT(ifnetlabel);
1247 return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
1251 mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
1252 struct label *mntlabel)
1254 struct mac_biba *subj, *obj;
1256 if (!mac_biba_enabled)
1259 subj = SLOT(&cred->cr_label);
1260 obj = SLOT(mntlabel);
1262 if (!mac_biba_dominate_single(obj, subj))
1269 mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
1270 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1273 if(!mac_biba_enabled)
1276 /* XXX: This will be implemented soon... */
1282 mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
1283 struct label *pipelabel)
1285 struct mac_biba *subj, *obj;
1287 if (!mac_biba_enabled)
1290 subj = SLOT(&cred->cr_label);
1291 obj = SLOT((pipelabel));
1293 if (!mac_biba_dominate_single(obj, subj))
1300 mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe,
1301 struct label *pipelabel)
1303 struct mac_biba *subj, *obj;
1305 if (!mac_biba_enabled)
1308 subj = SLOT(&cred->cr_label);
1309 obj = SLOT((pipelabel));
1311 if (!mac_biba_dominate_single(obj, subj))
1318 mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
1319 struct label *pipelabel, struct label *newlabel)
1321 struct mac_biba *subj, *obj, *new;
1324 new = SLOT(newlabel);
1325 subj = SLOT(&cred->cr_label);
1326 obj = SLOT(pipelabel);
1329 * If there is a Biba label update for a pipe, it must be a
1332 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
1337 * To perform a relabel of a pipe (Biba label or not), Biba must
1338 * authorize the relabel.
1340 if (!mac_biba_single_in_range(obj, subj))
1344 * If the Biba label is to be changed, authorize as appropriate.
1346 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
1348 * To change the Biba label on a pipe, the new pipe label
1349 * must be in the subject range.
1351 if (!mac_biba_single_in_range(new, subj))
1355 * To change the Biba label on a pipe to be EQUAL, the
1356 * subject must have appropriate privilege.
1358 if (mac_biba_contains_equal(new)) {
1359 error = mac_biba_subject_equal_ok(subj);
1369 mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
1370 struct label *pipelabel)
1372 struct mac_biba *subj, *obj;
1374 if (!mac_biba_enabled)
1377 subj = SLOT(&cred->cr_label);
1378 obj = SLOT((pipelabel));
1380 if (!mac_biba_dominate_single(obj, subj))
1387 mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe,
1388 struct label *pipelabel)
1390 struct mac_biba *subj, *obj;
1392 if (!mac_biba_enabled)
1395 subj = SLOT(&cred->cr_label);
1396 obj = SLOT((pipelabel));
1398 if (!mac_biba_dominate_single(subj, obj))
1405 mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
1407 struct mac_biba *subj, *obj;
1409 if (!mac_biba_enabled)
1412 subj = SLOT(&cred->cr_label);
1413 obj = SLOT(&proc->p_ucred->cr_label);
1415 /* XXX: range checks */
1416 if (!mac_biba_dominate_single(obj, subj))
1418 if (!mac_biba_dominate_single(subj, obj))
1425 mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc)
1427 struct mac_biba *subj, *obj;
1429 if (!mac_biba_enabled)
1432 subj = SLOT(&cred->cr_label);
1433 obj = SLOT(&proc->p_ucred->cr_label);
1435 /* XXX: range checks */
1436 if (!mac_biba_dominate_single(obj, subj))
1438 if (!mac_biba_dominate_single(subj, obj))
1445 mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1447 struct mac_biba *subj, *obj;
1449 if (!mac_biba_enabled)
1452 subj = SLOT(&cred->cr_label);
1453 obj = SLOT(&proc->p_ucred->cr_label);
1455 /* XXX: range checks */
1456 if (!mac_biba_dominate_single(obj, subj))
1458 if (!mac_biba_dominate_single(subj, obj))
1465 mac_biba_check_socket_deliver(struct socket *so, struct label *socketlabel,
1466 struct mbuf *m, struct label *mbuflabel)
1468 struct mac_biba *p, *s;
1470 if (!mac_biba_enabled)
1473 p = SLOT(mbuflabel);
1474 s = SLOT(socketlabel);
1476 return (mac_biba_equal_single(p, s) ? 0 : EACCES);
1480 mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket,
1481 struct label *socketlabel, struct label *newlabel)
1483 struct mac_biba *subj, *obj, *new;
1486 new = SLOT(newlabel);
1487 subj = SLOT(&cred->cr_label);
1488 obj = SLOT(socketlabel);
1491 * If there is a Biba label update for the socket, it may be
1492 * an update of single.
1494 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
1499 * To relabel a socket, the old socket single must be in the subject
1502 if (!mac_biba_single_in_range(obj, subj))
1506 * If the Biba label is to be changed, authorize as appropriate.
1508 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
1510 * To relabel a socket, the new socket single must be in
1511 * the subject range.
1513 if (!mac_biba_single_in_range(new, subj))
1517 * To change the Biba label on the socket to contain EQUAL,
1518 * the subject must have appropriate privilege.
1520 if (mac_biba_contains_equal(new)) {
1521 error = mac_biba_subject_equal_ok(subj);
1531 mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
1532 struct label *socketlabel)
1534 struct mac_biba *subj, *obj;
1536 subj = SLOT(&cred->cr_label);
1537 obj = SLOT(socketlabel);
1539 if (!mac_biba_dominate_single(obj, subj))
1546 mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
1547 struct label *dlabel)
1549 struct mac_biba *subj, *obj;
1551 if (!mac_biba_enabled)
1554 subj = SLOT(&cred->cr_label);
1557 if (!mac_biba_dominate_single(obj, subj))
1564 mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
1565 struct label *dlabel)
1567 struct mac_biba *subj, *obj;
1569 if (!mac_biba_enabled)
1572 subj = SLOT(&cred->cr_label);
1575 if (!mac_biba_dominate_single(obj, subj))
1582 mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1583 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
1585 struct mac_biba *subj, *obj;
1587 if (!mac_biba_enabled)
1590 subj = SLOT(&cred->cr_label);
1593 if (!mac_biba_dominate_single(subj, obj))
1600 mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
1601 struct label *dlabel, struct vnode *vp, struct label *label,
1602 struct componentname *cnp)
1604 struct mac_biba *subj, *obj;
1606 if (!mac_biba_enabled)
1609 subj = SLOT(&cred->cr_label);
1612 if (!mac_biba_dominate_single(subj, obj))
1617 if (!mac_biba_dominate_single(subj, obj))
1624 mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1625 struct label *label, acl_type_t type)
1627 struct mac_biba *subj, *obj;
1629 if (!mac_biba_enabled)
1632 subj = SLOT(&cred->cr_label);
1635 if (!mac_biba_dominate_single(subj, obj))
1642 mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
1643 struct label *label)
1645 struct mac_biba *subj, *obj;
1647 if (!mac_biba_enabled)
1650 subj = SLOT(&cred->cr_label);
1653 if (!mac_biba_dominate_single(obj, subj))
1660 mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
1661 struct label *label, acl_type_t type)
1663 struct mac_biba *subj, *obj;
1665 if (!mac_biba_enabled)
1668 subj = SLOT(&cred->cr_label);
1671 if (!mac_biba_dominate_single(obj, subj))
1678 mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1679 struct label *label, int attrnamespace, const char *name, struct uio *uio)
1681 struct mac_biba *subj, *obj;
1683 if (!mac_biba_enabled)
1686 subj = SLOT(&cred->cr_label);
1689 if (!mac_biba_dominate_single(obj, subj))
1696 mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
1697 struct label *dlabel, struct vnode *vp, struct label *label,
1698 struct componentname *cnp)
1700 struct mac_biba *subj, *obj;
1702 if (!mac_biba_enabled)
1705 subj = SLOT(&cred->cr_label);
1708 if (!mac_biba_dominate_single(subj, obj))
1713 if (!mac_biba_dominate_single(subj, obj))
1720 mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1721 struct label *dlabel, struct componentname *cnp)
1723 struct mac_biba *subj, *obj;
1725 if (!mac_biba_enabled)
1728 subj = SLOT(&cred->cr_label);
1731 if (!mac_biba_dominate_single(obj, subj))
1738 mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
1739 struct label *label, int prot)
1741 struct mac_biba *subj, *obj;
1744 * Rely on the use of open()-time protections to handle
1745 * non-revocation cases.
1747 if (!mac_biba_enabled || !revocation_enabled)
1750 subj = SLOT(&cred->cr_label);
1753 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
1754 if (!mac_biba_dominate_single(obj, subj))
1757 if (prot & VM_PROT_WRITE) {
1758 if (!mac_biba_dominate_single(subj, obj))
1766 mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
1767 struct label *vnodelabel, mode_t acc_mode)
1769 struct mac_biba *subj, *obj;
1771 if (!mac_biba_enabled)
1774 subj = SLOT(&cred->cr_label);
1775 obj = SLOT(vnodelabel);
1777 /* XXX privilege override for admin? */
1778 if (acc_mode & (VREAD | VEXEC | VSTAT)) {
1779 if (!mac_biba_dominate_single(obj, subj))
1782 if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
1783 if (!mac_biba_dominate_single(subj, obj))
1791 mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
1792 struct vnode *vp, struct label *label)
1794 struct mac_biba *subj, *obj;
1796 if (!mac_biba_enabled || !revocation_enabled)
1799 subj = SLOT(&active_cred->cr_label);
1802 if (!mac_biba_dominate_single(obj, subj))
1809 mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
1810 struct vnode *vp, struct label *label)
1812 struct mac_biba *subj, *obj;
1814 if (!mac_biba_enabled || !revocation_enabled)
1817 subj = SLOT(&active_cred->cr_label);
1820 if (!mac_biba_dominate_single(obj, subj))
1827 mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
1828 struct label *dlabel)
1830 struct mac_biba *subj, *obj;
1832 if (!mac_biba_enabled)
1835 subj = SLOT(&cred->cr_label);
1838 if (!mac_biba_dominate_single(obj, subj))
1845 mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
1846 struct label *label)
1848 struct mac_biba *subj, *obj;
1850 if (!mac_biba_enabled)
1853 subj = SLOT(&cred->cr_label);
1856 if (!mac_biba_dominate_single(obj, subj))
1863 mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
1864 struct label *vnodelabel, struct label *newlabel)
1866 struct mac_biba *old, *new, *subj;
1869 old = SLOT(vnodelabel);
1870 new = SLOT(newlabel);
1871 subj = SLOT(&cred->cr_label);
1874 * If there is a Biba label update for the vnode, it must be a
1877 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
1882 * To perform a relabel of the vnode (Biba label or not), Biba must
1883 * authorize the relabel.
1885 if (!mac_biba_single_in_range(old, subj))
1889 * If the Biba label is to be changed, authorize as appropriate.
1891 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
1893 * To change the Biba label on a vnode, the new vnode label
1894 * must be in the subject range.
1896 if (!mac_biba_single_in_range(new, subj))
1900 * To change the Biba label on the vnode to be EQUAL,
1901 * the subject must have appropriate privilege.
1903 if (mac_biba_contains_equal(new)) {
1904 error = mac_biba_subject_equal_ok(subj);
1914 mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
1915 struct label *dlabel, struct vnode *vp, struct label *label,
1916 struct componentname *cnp)
1918 struct mac_biba *subj, *obj;
1920 if (!mac_biba_enabled)
1923 subj = SLOT(&cred->cr_label);
1926 if (!mac_biba_dominate_single(subj, obj))
1931 if (!mac_biba_dominate_single(subj, obj))
1938 mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
1939 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
1940 struct componentname *cnp)
1942 struct mac_biba *subj, *obj;
1944 if (!mac_biba_enabled)
1947 subj = SLOT(&cred->cr_label);
1950 if (!mac_biba_dominate_single(subj, obj))
1956 if (!mac_biba_dominate_single(subj, obj))
1964 mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
1965 struct label *label)
1967 struct mac_biba *subj, *obj;
1969 if (!mac_biba_enabled)
1972 subj = SLOT(&cred->cr_label);
1975 if (!mac_biba_dominate_single(subj, obj))
1982 mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
1983 struct label *label, acl_type_t type, struct acl *acl)
1985 struct mac_biba *subj, *obj;
1987 if (!mac_biba_enabled)
1990 subj = SLOT(&cred->cr_label);
1993 if (!mac_biba_dominate_single(subj, obj))
2000 mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2001 struct label *vnodelabel, int attrnamespace, const char *name,
2004 struct mac_biba *subj, *obj;
2006 if (!mac_biba_enabled)
2009 subj = SLOT(&cred->cr_label);
2010 obj = SLOT(vnodelabel);
2012 if (!mac_biba_dominate_single(subj, obj))
2015 /* XXX: protect the MAC EA in a special way? */
2021 mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2022 struct label *vnodelabel, u_long flags)
2024 struct mac_biba *subj, *obj;
2026 if (!mac_biba_enabled)
2029 subj = SLOT(&cred->cr_label);
2030 obj = SLOT(vnodelabel);
2032 if (!mac_biba_dominate_single(subj, obj))
2039 mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2040 struct label *vnodelabel, mode_t mode)
2042 struct mac_biba *subj, *obj;
2044 if (!mac_biba_enabled)
2047 subj = SLOT(&cred->cr_label);
2048 obj = SLOT(vnodelabel);
2050 if (!mac_biba_dominate_single(subj, obj))
2057 mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2058 struct label *vnodelabel, uid_t uid, gid_t gid)
2060 struct mac_biba *subj, *obj;
2062 if (!mac_biba_enabled)
2065 subj = SLOT(&cred->cr_label);
2066 obj = SLOT(vnodelabel);
2068 if (!mac_biba_dominate_single(subj, obj))
2075 mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2076 struct label *vnodelabel, struct timespec atime, struct timespec mtime)
2078 struct mac_biba *subj, *obj;
2080 if (!mac_biba_enabled)
2083 subj = SLOT(&cred->cr_label);
2084 obj = SLOT(vnodelabel);
2086 if (!mac_biba_dominate_single(subj, obj))
2093 mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2094 struct vnode *vp, struct label *vnodelabel)
2096 struct mac_biba *subj, *obj;
2098 if (!mac_biba_enabled)
2101 subj = SLOT(&active_cred->cr_label);
2102 obj = SLOT(vnodelabel);
2104 if (!mac_biba_dominate_single(obj, subj))
2111 mac_biba_check_vnode_write(struct ucred *active_cred,
2112 struct ucred *file_cred, struct vnode *vp, struct label *label)
2114 struct mac_biba *subj, *obj;
2116 if (!mac_biba_enabled || !revocation_enabled)
2119 subj = SLOT(&active_cred->cr_label);
2122 if (!mac_biba_dominate_single(subj, obj))
2128 static struct mac_policy_op_entry mac_biba_ops[] =
2131 (macop_t)mac_biba_destroy },
2133 (macop_t)mac_biba_init },
2134 { MAC_INIT_BPFDESC_LABEL,
2135 (macop_t)mac_biba_init_label },
2136 { MAC_INIT_CRED_LABEL,
2137 (macop_t)mac_biba_init_label },
2138 { MAC_INIT_DEVFSDIRENT_LABEL,
2139 (macop_t)mac_biba_init_label },
2140 { MAC_INIT_IFNET_LABEL,
2141 (macop_t)mac_biba_init_label },
2142 { MAC_INIT_IPQ_LABEL,
2143 (macop_t)mac_biba_init_label },
2144 { MAC_INIT_MBUF_LABEL,
2145 (macop_t)mac_biba_init_label_waitcheck },
2146 { MAC_INIT_MOUNT_LABEL,
2147 (macop_t)mac_biba_init_label },
2148 { MAC_INIT_MOUNT_FS_LABEL,
2149 (macop_t)mac_biba_init_label },
2150 { MAC_INIT_PIPE_LABEL,
2151 (macop_t)mac_biba_init_label },
2152 { MAC_INIT_SOCKET_LABEL,
2153 (macop_t)mac_biba_init_label_waitcheck },
2154 { MAC_INIT_SOCKET_PEER_LABEL,
2155 (macop_t)mac_biba_init_label_waitcheck },
2156 { MAC_INIT_TEMP_LABEL,
2157 (macop_t)mac_biba_init_label },
2158 { MAC_INIT_VNODE_LABEL,
2159 (macop_t)mac_biba_init_label },
2160 { MAC_DESTROY_BPFDESC_LABEL,
2161 (macop_t)mac_biba_destroy_label },
2162 { MAC_DESTROY_CRED_LABEL,
2163 (macop_t)mac_biba_destroy_label },
2164 { MAC_DESTROY_DEVFSDIRENT_LABEL,
2165 (macop_t)mac_biba_destroy_label },
2166 { MAC_DESTROY_IFNET_LABEL,
2167 (macop_t)mac_biba_destroy_label },
2168 { MAC_DESTROY_IPQ_LABEL,
2169 (macop_t)mac_biba_destroy_label },
2170 { MAC_DESTROY_MBUF_LABEL,
2171 (macop_t)mac_biba_destroy_label },
2172 { MAC_DESTROY_MOUNT_LABEL,
2173 (macop_t)mac_biba_destroy_label },
2174 { MAC_DESTROY_MOUNT_FS_LABEL,
2175 (macop_t)mac_biba_destroy_label },
2176 { MAC_DESTROY_PIPE_LABEL,
2177 (macop_t)mac_biba_destroy_label },
2178 { MAC_DESTROY_SOCKET_LABEL,
2179 (macop_t)mac_biba_destroy_label },
2180 { MAC_DESTROY_SOCKET_PEER_LABEL,
2181 (macop_t)mac_biba_destroy_label },
2182 { MAC_DESTROY_TEMP_LABEL,
2183 (macop_t)mac_biba_destroy_label },
2184 { MAC_DESTROY_VNODE_LABEL,
2185 (macop_t)mac_biba_destroy_label },
2187 (macop_t)mac_biba_externalize },
2189 (macop_t)mac_biba_internalize },
2190 { MAC_CREATE_DEVFS_DEVICE,
2191 (macop_t)mac_biba_create_devfs_device },
2192 { MAC_CREATE_DEVFS_DIRECTORY,
2193 (macop_t)mac_biba_create_devfs_directory },
2194 { MAC_CREATE_DEVFS_SYMLINK,
2195 (macop_t)mac_biba_create_devfs_symlink },
2196 { MAC_CREATE_DEVFS_VNODE,
2197 (macop_t)mac_biba_create_devfs_vnode },
2199 (macop_t)mac_biba_create_vnode },
2201 (macop_t)mac_biba_create_mount },
2202 { MAC_CREATE_ROOT_MOUNT,
2203 (macop_t)mac_biba_create_root_mount },
2204 { MAC_RELABEL_VNODE,
2205 (macop_t)mac_biba_relabel_vnode },
2206 { MAC_UPDATE_DEVFSDIRENT,
2207 (macop_t)mac_biba_update_devfsdirent },
2208 { MAC_UPDATE_PROCFSVNODE,
2209 (macop_t)mac_biba_update_procfsvnode },
2210 { MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
2211 (macop_t)mac_biba_update_vnode_from_externalized },
2212 { MAC_UPDATE_VNODE_FROM_MOUNT,
2213 (macop_t)mac_biba_update_vnode_from_mount },
2214 { MAC_CREATE_MBUF_FROM_SOCKET,
2215 (macop_t)mac_biba_create_mbuf_from_socket },
2217 (macop_t)mac_biba_create_pipe },
2218 { MAC_CREATE_SOCKET,
2219 (macop_t)mac_biba_create_socket },
2220 { MAC_CREATE_SOCKET_FROM_SOCKET,
2221 (macop_t)mac_biba_create_socket_from_socket },
2223 (macop_t)mac_biba_relabel_pipe },
2224 { MAC_RELABEL_SOCKET,
2225 (macop_t)mac_biba_relabel_socket },
2226 { MAC_SET_SOCKET_PEER_FROM_MBUF,
2227 (macop_t)mac_biba_set_socket_peer_from_mbuf },
2228 { MAC_SET_SOCKET_PEER_FROM_SOCKET,
2229 (macop_t)mac_biba_set_socket_peer_from_socket },
2230 { MAC_CREATE_BPFDESC,
2231 (macop_t)mac_biba_create_bpfdesc },
2232 { MAC_CREATE_DATAGRAM_FROM_IPQ,
2233 (macop_t)mac_biba_create_datagram_from_ipq },
2234 { MAC_CREATE_FRAGMENT,
2235 (macop_t)mac_biba_create_fragment },
2237 (macop_t)mac_biba_create_ifnet },
2239 (macop_t)mac_biba_create_ipq },
2240 { MAC_CREATE_MBUF_FROM_MBUF,
2241 (macop_t)mac_biba_create_mbuf_from_mbuf },
2242 { MAC_CREATE_MBUF_LINKLAYER,
2243 (macop_t)mac_biba_create_mbuf_linklayer },
2244 { MAC_CREATE_MBUF_FROM_BPFDESC,
2245 (macop_t)mac_biba_create_mbuf_from_bpfdesc },
2246 { MAC_CREATE_MBUF_FROM_IFNET,
2247 (macop_t)mac_biba_create_mbuf_from_ifnet },
2248 { MAC_CREATE_MBUF_MULTICAST_ENCAP,
2249 (macop_t)mac_biba_create_mbuf_multicast_encap },
2250 { MAC_CREATE_MBUF_NETLAYER,
2251 (macop_t)mac_biba_create_mbuf_netlayer },
2252 { MAC_FRAGMENT_MATCH,
2253 (macop_t)mac_biba_fragment_match },
2254 { MAC_RELABEL_IFNET,
2255 (macop_t)mac_biba_relabel_ifnet },
2257 (macop_t)mac_biba_update_ipq },
2259 (macop_t)mac_biba_create_cred },
2260 { MAC_EXECVE_TRANSITION,
2261 (macop_t)mac_biba_execve_transition },
2262 { MAC_EXECVE_WILL_TRANSITION,
2263 (macop_t)mac_biba_execve_will_transition },
2265 (macop_t)mac_biba_create_proc0 },
2267 (macop_t)mac_biba_create_proc1 },
2269 (macop_t)mac_biba_relabel_cred },
2270 { MAC_CHECK_BPFDESC_RECEIVE,
2271 (macop_t)mac_biba_check_bpfdesc_receive },
2272 { MAC_CHECK_CRED_RELABEL,
2273 (macop_t)mac_biba_check_cred_relabel },
2274 { MAC_CHECK_CRED_VISIBLE,
2275 (macop_t)mac_biba_check_cred_visible },
2276 { MAC_CHECK_IFNET_RELABEL,
2277 (macop_t)mac_biba_check_ifnet_relabel },
2278 { MAC_CHECK_IFNET_TRANSMIT,
2279 (macop_t)mac_biba_check_ifnet_transmit },
2280 { MAC_CHECK_MOUNT_STAT,
2281 (macop_t)mac_biba_check_mount_stat },
2282 { MAC_CHECK_PIPE_IOCTL,
2283 (macop_t)mac_biba_check_pipe_ioctl },
2284 { MAC_CHECK_PIPE_POLL,
2285 (macop_t)mac_biba_check_pipe_poll },
2286 { MAC_CHECK_PIPE_READ,
2287 (macop_t)mac_biba_check_pipe_read },
2288 { MAC_CHECK_PIPE_RELABEL,
2289 (macop_t)mac_biba_check_pipe_relabel },
2290 { MAC_CHECK_PIPE_STAT,
2291 (macop_t)mac_biba_check_pipe_stat },
2292 { MAC_CHECK_PIPE_WRITE,
2293 (macop_t)mac_biba_check_pipe_write },
2294 { MAC_CHECK_PROC_DEBUG,
2295 (macop_t)mac_biba_check_proc_debug },
2296 { MAC_CHECK_PROC_SCHED,
2297 (macop_t)mac_biba_check_proc_sched },
2298 { MAC_CHECK_PROC_SIGNAL,
2299 (macop_t)mac_biba_check_proc_signal },
2300 { MAC_CHECK_SOCKET_DELIVER,
2301 (macop_t)mac_biba_check_socket_deliver },
2302 { MAC_CHECK_SOCKET_RELABEL,
2303 (macop_t)mac_biba_check_socket_relabel },
2304 { MAC_CHECK_SOCKET_VISIBLE,
2305 (macop_t)mac_biba_check_socket_visible },
2306 { MAC_CHECK_VNODE_ACCESS,
2307 (macop_t)mac_biba_check_vnode_open },
2308 { MAC_CHECK_VNODE_CHDIR,
2309 (macop_t)mac_biba_check_vnode_chdir },
2310 { MAC_CHECK_VNODE_CHROOT,
2311 (macop_t)mac_biba_check_vnode_chroot },
2312 { MAC_CHECK_VNODE_CREATE,
2313 (macop_t)mac_biba_check_vnode_create },
2314 { MAC_CHECK_VNODE_DELETE,
2315 (macop_t)mac_biba_check_vnode_delete },
2316 { MAC_CHECK_VNODE_DELETEACL,
2317 (macop_t)mac_biba_check_vnode_deleteacl },
2318 { MAC_CHECK_VNODE_EXEC,
2319 (macop_t)mac_biba_check_vnode_exec },
2320 { MAC_CHECK_VNODE_GETACL,
2321 (macop_t)mac_biba_check_vnode_getacl },
2322 { MAC_CHECK_VNODE_GETEXTATTR,
2323 (macop_t)mac_biba_check_vnode_getextattr },
2324 { MAC_CHECK_VNODE_LINK,
2325 (macop_t)mac_biba_check_vnode_link },
2326 { MAC_CHECK_VNODE_LOOKUP,
2327 (macop_t)mac_biba_check_vnode_lookup },
2328 { MAC_CHECK_VNODE_MMAP,
2329 (macop_t)mac_biba_check_vnode_mmap },
2330 { MAC_CHECK_VNODE_MPROTECT,
2331 (macop_t)mac_biba_check_vnode_mmap },
2332 { MAC_CHECK_VNODE_OPEN,
2333 (macop_t)mac_biba_check_vnode_open },
2334 { MAC_CHECK_VNODE_POLL,
2335 (macop_t)mac_biba_check_vnode_poll },
2336 { MAC_CHECK_VNODE_READ,
2337 (macop_t)mac_biba_check_vnode_read },
2338 { MAC_CHECK_VNODE_READDIR,
2339 (macop_t)mac_biba_check_vnode_readdir },
2340 { MAC_CHECK_VNODE_READLINK,
2341 (macop_t)mac_biba_check_vnode_readlink },
2342 { MAC_CHECK_VNODE_RELABEL,
2343 (macop_t)mac_biba_check_vnode_relabel },
2344 { MAC_CHECK_VNODE_RENAME_FROM,
2345 (macop_t)mac_biba_check_vnode_rename_from },
2346 { MAC_CHECK_VNODE_RENAME_TO,
2347 (macop_t)mac_biba_check_vnode_rename_to },
2348 { MAC_CHECK_VNODE_REVOKE,
2349 (macop_t)mac_biba_check_vnode_revoke },
2350 { MAC_CHECK_VNODE_SETACL,
2351 (macop_t)mac_biba_check_vnode_setacl },
2352 { MAC_CHECK_VNODE_SETEXTATTR,
2353 (macop_t)mac_biba_check_vnode_setextattr },
2354 { MAC_CHECK_VNODE_SETFLAGS,
2355 (macop_t)mac_biba_check_vnode_setflags },
2356 { MAC_CHECK_VNODE_SETMODE,
2357 (macop_t)mac_biba_check_vnode_setmode },
2358 { MAC_CHECK_VNODE_SETOWNER,
2359 (macop_t)mac_biba_check_vnode_setowner },
2360 { MAC_CHECK_VNODE_SETUTIMES,
2361 (macop_t)mac_biba_check_vnode_setutimes },
2362 { MAC_CHECK_VNODE_STAT,
2363 (macop_t)mac_biba_check_vnode_stat },
2364 { MAC_CHECK_VNODE_WRITE,
2365 (macop_t)mac_biba_check_vnode_write },
2366 { MAC_OP_LAST, NULL }
2369 MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
2370 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot);