2 * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * Copyright (c) 2006 SPARTA, Inc.
7 * This software was developed by Robert Watson for the TrustedBSD Project.
9 * This software was developed for the FreeBSD Project in part by McAfee
10 * Research, the Security Research Division of McAfee, Inc. under
11 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
12 * CHATS research program.
14 * This software was enhanced by SPARTA ISSO under SPAWAR contract
15 * N66001-04-C-6019 ("SEFOS").
17 * This software was developed at the University of Cambridge Computer
18 * Laboratory with support from a grant from Google, Inc.
20 * Redistribution and use in source and binary forms, with or without
21 * modification, are permitted provided that the following conditions
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 * 2. Redistributions in binary form must reproduce the above copyright
26 * notice, this list of conditions and the following disclaimer in the
27 * documentation and/or other materials provided with the distribution.
29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
45 * Developed by the TrustedBSD Project.
47 * Biba fixed label mandatory integrity policy.
50 #include <sys/param.h>
52 #include <sys/extattr.h>
53 #include <sys/kernel.h>
55 #include <sys/malloc.h>
57 #include <sys/mount.h>
61 #include <sys/systm.h>
62 #include <sys/sysproto.h>
63 #include <sys/sysent.h>
64 #include <sys/systm.h>
65 #include <sys/vnode.h>
67 #include <sys/socket.h>
68 #include <sys/socketvar.h>
71 #include <sys/sysctl.h>
76 #include <fs/devfs/devfs.h>
78 #include <net/bpfdesc.h>
80 #include <net/if_types.h>
81 #include <net/if_var.h>
83 #include <netinet/in.h>
84 #include <netinet/in_pcb.h>
85 #include <netinet/ip_var.h>
90 #include <security/mac/mac_policy.h>
91 #include <security/mac_biba/mac_biba.h>
93 SYSCTL_DECL(_security_mac);
95 static SYSCTL_NODE(_security_mac, OID_AUTO, biba,
96 CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
97 "TrustedBSD mac_biba policy controls");
99 static int biba_label_size = sizeof(struct mac_biba);
100 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
101 &biba_label_size, 0, "Size of struct mac_biba");
103 static int biba_enabled = 1;
104 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RWTUN, &biba_enabled,
105 0, "Enforce MAC/Biba policy");
107 static int destroyed_not_inited;
108 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
109 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
111 static int trust_all_interfaces = 0;
112 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN,
113 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
115 static char trusted_interfaces[128];
116 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN,
117 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
119 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
120 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
121 &max_compartments, 0, "Maximum supported compartments");
123 static int ptys_equal = 0;
124 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RWTUN, &ptys_equal,
125 0, "Label pty devices as biba/equal on create");
127 static int interfaces_equal = 1;
128 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RWTUN,
129 &interfaces_equal, 0, "Label network interfaces as biba/equal on create");
131 static int revocation_enabled = 0;
132 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN,
133 &revocation_enabled, 0, "Revoke access to objects on relabel");
135 static int biba_slot;
136 #define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot))
137 #define SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val))
139 static uma_zone_t zone_biba;
142 biba_bit_set_empty(u_char *set) {
145 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
151 static struct mac_biba *
155 return (uma_zalloc(zone_biba, flag | M_ZERO));
159 biba_free(struct mac_biba *mb)
163 uma_zfree(zone_biba, mb);
165 atomic_add_int(&destroyed_not_inited, 1);
169 biba_atmostflags(struct mac_biba *mb, int flags)
172 if ((mb->mb_flags & flags) != mb->mb_flags)
178 biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b)
182 switch (a->mbe_type) {
183 case MAC_BIBA_TYPE_EQUAL:
184 case MAC_BIBA_TYPE_HIGH:
187 case MAC_BIBA_TYPE_LOW:
188 switch (b->mbe_type) {
189 case MAC_BIBA_TYPE_GRADE:
190 case MAC_BIBA_TYPE_HIGH:
193 case MAC_BIBA_TYPE_EQUAL:
194 case MAC_BIBA_TYPE_LOW:
198 panic("biba_dominate_element: b->mbe_type invalid");
201 case MAC_BIBA_TYPE_GRADE:
202 switch (b->mbe_type) {
203 case MAC_BIBA_TYPE_EQUAL:
204 case MAC_BIBA_TYPE_LOW:
207 case MAC_BIBA_TYPE_HIGH:
210 case MAC_BIBA_TYPE_GRADE:
211 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
212 if (!MAC_BIBA_BIT_TEST(bit,
213 a->mbe_compartments) &&
214 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
216 return (a->mbe_grade >= b->mbe_grade);
219 panic("biba_dominate_element: b->mbe_type invalid");
223 panic("biba_dominate_element: a->mbe_type invalid");
230 biba_subject_dominate_high(struct mac_biba *mb)
232 struct mac_biba_element *element;
234 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
235 ("biba_effective_in_range: mb not effective"));
236 element = &mb->mb_effective;
238 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
239 element->mbe_type == MAC_BIBA_TYPE_HIGH);
243 biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
246 return (biba_dominate_element(&rangeb->mb_rangehigh,
247 &rangea->mb_rangehigh) &&
248 biba_dominate_element(&rangea->mb_rangelow,
249 &rangeb->mb_rangelow));
253 biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range)
256 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
257 ("biba_effective_in_range: a not effective"));
258 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
259 ("biba_effective_in_range: b not range"));
261 return (biba_dominate_element(&range->mb_rangehigh,
262 &effective->mb_effective) &&
263 biba_dominate_element(&effective->mb_effective,
264 &range->mb_rangelow));
270 biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
272 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
273 ("biba_dominate_effective: a not effective"));
274 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
275 ("biba_dominate_effective: b not effective"));
277 return (biba_dominate_element(&a->mb_effective, &b->mb_effective));
281 biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
284 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
285 b->mbe_type == MAC_BIBA_TYPE_EQUAL)
288 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
292 biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
295 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
296 ("biba_equal_effective: a not effective"));
297 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
298 ("biba_equal_effective: b not effective"));
300 return (biba_equal_element(&a->mb_effective, &b->mb_effective));
304 biba_contains_equal(struct mac_biba *mb)
307 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
308 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
312 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
313 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
315 if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
323 biba_subject_privileged(struct mac_biba *mb)
326 KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH,
327 ("biba_subject_privileged: subject doesn't have both labels"));
329 /* If the effective is EQUAL, it's ok. */
330 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
333 /* If either range endpoint is EQUAL, it's ok. */
334 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
335 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
338 /* If the range is low-high, it's ok. */
339 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
340 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
348 biba_high_effective(struct mac_biba *mb)
351 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
352 ("biba_equal_effective: mb not effective"));
354 return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
358 biba_valid(struct mac_biba *mb)
361 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
362 switch (mb->mb_effective.mbe_type) {
363 case MAC_BIBA_TYPE_GRADE:
366 case MAC_BIBA_TYPE_EQUAL:
367 case MAC_BIBA_TYPE_HIGH:
368 case MAC_BIBA_TYPE_LOW:
369 if (mb->mb_effective.mbe_grade != 0 ||
370 !MAC_BIBA_BIT_SET_EMPTY(
371 mb->mb_effective.mbe_compartments))
379 if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
383 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
384 switch (mb->mb_rangelow.mbe_type) {
385 case MAC_BIBA_TYPE_GRADE:
388 case MAC_BIBA_TYPE_EQUAL:
389 case MAC_BIBA_TYPE_HIGH:
390 case MAC_BIBA_TYPE_LOW:
391 if (mb->mb_rangelow.mbe_grade != 0 ||
392 !MAC_BIBA_BIT_SET_EMPTY(
393 mb->mb_rangelow.mbe_compartments))
401 switch (mb->mb_rangehigh.mbe_type) {
402 case MAC_BIBA_TYPE_GRADE:
405 case MAC_BIBA_TYPE_EQUAL:
406 case MAC_BIBA_TYPE_HIGH:
407 case MAC_BIBA_TYPE_LOW:
408 if (mb->mb_rangehigh.mbe_grade != 0 ||
409 !MAC_BIBA_BIT_SET_EMPTY(
410 mb->mb_rangehigh.mbe_compartments))
417 if (!biba_dominate_element(&mb->mb_rangehigh,
421 if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
422 mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
430 biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow,
431 u_char *compartmentslow, u_short typehigh, u_short gradehigh,
432 u_char *compartmentshigh)
435 mb->mb_rangelow.mbe_type = typelow;
436 mb->mb_rangelow.mbe_grade = gradelow;
437 if (compartmentslow != NULL)
438 memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow,
439 sizeof(mb->mb_rangelow.mbe_compartments));
440 mb->mb_rangehigh.mbe_type = typehigh;
441 mb->mb_rangehigh.mbe_grade = gradehigh;
442 if (compartmentshigh != NULL)
443 memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh,
444 sizeof(mb->mb_rangehigh.mbe_compartments));
445 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
449 biba_set_effective(struct mac_biba *mb, u_short type, u_short grade,
450 u_char *compartments)
453 mb->mb_effective.mbe_type = type;
454 mb->mb_effective.mbe_grade = grade;
455 if (compartments != NULL)
456 memcpy(mb->mb_effective.mbe_compartments, compartments,
457 sizeof(mb->mb_effective.mbe_compartments));
458 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
462 biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
465 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
466 ("biba_copy_range: labelfrom not range"));
468 labelto->mb_rangelow = labelfrom->mb_rangelow;
469 labelto->mb_rangehigh = labelfrom->mb_rangehigh;
470 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
474 biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
477 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
478 ("biba_copy_effective: labelfrom not effective"));
480 labelto->mb_effective = labelfrom->mb_effective;
481 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
485 biba_copy(struct mac_biba *source, struct mac_biba *dest)
488 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
489 biba_copy_effective(source, dest);
490 if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
491 biba_copy_range(source, dest);
495 * Policy module operations.
498 biba_init(struct mac_policy_conf *conf)
501 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL,
502 NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
509 biba_init_label(struct label *label)
512 SLOT_SET(label, biba_alloc(M_WAITOK));
516 biba_init_label_waitcheck(struct label *label, int flag)
519 SLOT_SET(label, biba_alloc(flag));
520 if (SLOT(label) == NULL)
527 biba_destroy_label(struct label *label)
530 biba_free(SLOT(label));
531 SLOT_SET(label, NULL);
535 * biba_element_to_string() accepts an sbuf and Biba element. It converts
536 * the Biba element to a string and stores the result in the sbuf; if there
537 * isn't space in the sbuf, -1 is returned.
540 biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element)
544 switch (element->mbe_type) {
545 case MAC_BIBA_TYPE_HIGH:
546 return (sbuf_printf(sb, "high"));
548 case MAC_BIBA_TYPE_LOW:
549 return (sbuf_printf(sb, "low"));
551 case MAC_BIBA_TYPE_EQUAL:
552 return (sbuf_printf(sb, "equal"));
554 case MAC_BIBA_TYPE_GRADE:
555 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1)
559 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) {
560 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) {
562 if (sbuf_putc(sb, ':') == -1)
564 if (sbuf_printf(sb, "%d", i) == -1)
568 if (sbuf_printf(sb, "+%d", i) == -1)
576 panic("biba_element_to_string: invalid type (%d)",
582 * biba_to_string() converts a Biba label to a string, and places the results
583 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
584 * room in the sbuf. Note: the sbuf will be modified even in a failure case,
585 * so the caller may need to revert the sbuf by restoring the offset if
589 biba_to_string(struct sbuf *sb, struct mac_biba *mb)
592 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
593 if (biba_element_to_string(sb, &mb->mb_effective) == -1)
597 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
598 if (sbuf_putc(sb, '(') == -1)
601 if (biba_element_to_string(sb, &mb->mb_rangelow) == -1)
604 if (sbuf_putc(sb, '-') == -1)
607 if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1)
610 if (sbuf_putc(sb, ')') == -1)
618 biba_externalize_label(struct label *label, char *element_name,
619 struct sbuf *sb, int *claimed)
623 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
629 return (biba_to_string(sb, mb));
633 biba_parse_element(struct mac_biba_element *element, char *string)
635 char *compartment, *end, *grade;
638 if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
639 element->mbe_type = MAC_BIBA_TYPE_HIGH;
640 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
641 } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
642 element->mbe_type = MAC_BIBA_TYPE_LOW;
643 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
644 } else if (strcmp(string, "equal") == 0 ||
645 strcmp(string, "eq") == 0) {
646 element->mbe_type = MAC_BIBA_TYPE_EQUAL;
647 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
649 element->mbe_type = MAC_BIBA_TYPE_GRADE;
652 * Numeric grade piece of the element.
654 grade = strsep(&string, ":");
655 value = strtol(grade, &end, 10);
656 if (end == grade || *end != '\0')
658 if (value < 0 || value > 65535)
660 element->mbe_grade = value;
663 * Optional compartment piece of the element. If none are
664 * included, we assume that the label has no compartments.
671 while ((compartment = strsep(&string, "+")) != NULL) {
672 value = strtol(compartment, &end, 10);
673 if (compartment == end || *end != '\0')
675 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS)
677 MAC_BIBA_BIT_SET(value, element->mbe_compartments);
685 * Note: destructively consumes the string, make a local copy before calling
686 * if that's a problem.
689 biba_parse(struct mac_biba *mb, char *string)
691 char *rangehigh, *rangelow, *effective;
694 effective = strsep(&string, "(");
695 if (*effective == '\0')
698 if (string != NULL) {
699 rangelow = strsep(&string, "-");
702 rangehigh = strsep(&string, ")");
712 KASSERT((rangelow != NULL && rangehigh != NULL) ||
713 (rangelow == NULL && rangehigh == NULL),
714 ("biba_parse: range mismatch"));
716 bzero(mb, sizeof(*mb));
717 if (effective != NULL) {
718 error = biba_parse_element(&mb->mb_effective, effective);
721 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
724 if (rangelow != NULL) {
725 error = biba_parse_element(&mb->mb_rangelow, rangelow);
728 error = biba_parse_element(&mb->mb_rangehigh, rangehigh);
731 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
734 error = biba_valid(mb);
742 biba_internalize_label(struct label *label, char *element_name,
743 char *element_data, int *claimed)
745 struct mac_biba *mb, mb_temp;
748 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
753 error = biba_parse(&mb_temp, element_data);
764 biba_copy_label(struct label *src, struct label *dest)
767 *SLOT(dest) = *SLOT(src);
771 * Object-specific entry point implementations are sorted alphabetically by
772 * object type name and then by operation.
775 biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
776 struct ifnet *ifp, struct label *ifplabel)
778 struct mac_biba *a, *b;
786 if (biba_equal_effective(a, b))
792 biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
793 struct label *dlabel)
795 struct mac_biba *source, *dest;
797 source = SLOT(cred->cr_label);
800 biba_copy_effective(source, dest);
804 biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
805 struct mbuf *m, struct label *mlabel)
807 struct mac_biba *source, *dest;
809 source = SLOT(dlabel);
812 biba_copy_effective(source, dest);
816 biba_cred_associate_nfsd(struct ucred *cred)
818 struct mac_biba *label;
820 label = SLOT(cred->cr_label);
821 biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
822 biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
827 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
829 struct mac_biba *subj, *new;
832 subj = SLOT(cred->cr_label);
833 new = SLOT(newlabel);
836 * If there is a Biba label update for the credential, it may
837 * be an update of the effective, range, or both.
839 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
844 * If the Biba label is to be changed, authorize as appropriate.
846 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
848 * If the change request modifies both the Biba label
849 * effective and range, check that the new effective will be
852 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
853 MAC_BIBA_FLAGS_BOTH &&
854 !biba_effective_in_range(new, new))
858 * To change the Biba effective label on a credential, the
859 * new effective label must be in the current range.
861 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
862 !biba_effective_in_range(new, subj))
866 * To change the Biba range on a credential, the new range
867 * label must be in the current range.
869 if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
870 !biba_range_in_range(new, subj))
874 * To have EQUAL in any component of the new credential Biba
875 * label, the subject must already have EQUAL in their label.
877 if (biba_contains_equal(new)) {
878 error = biba_subject_privileged(subj);
888 biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
890 struct mac_biba *subj, *obj;
895 subj = SLOT(u1->cr_label);
896 obj = SLOT(u2->cr_label);
899 if (!biba_dominate_effective(obj, subj))
906 biba_cred_create_init(struct ucred *cred)
908 struct mac_biba *dest;
910 dest = SLOT(cred->cr_label);
912 biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
913 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
918 biba_cred_create_swapper(struct ucred *cred)
920 struct mac_biba *dest;
922 dest = SLOT(cred->cr_label);
924 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
925 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
930 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
932 struct mac_biba *source, *dest;
934 source = SLOT(newlabel);
935 dest = SLOT(cred->cr_label);
937 biba_copy(source, dest);
941 biba_devfs_create_device(struct ucred *cred, struct mount *mp,
942 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
950 if (strcmp(dn, "null") == 0 ||
951 strcmp(dn, "zero") == 0 ||
952 strcmp(dn, "random") == 0 ||
953 strncmp(dn, "fd/", strlen("fd/")) == 0)
954 biba_type = MAC_BIBA_TYPE_EQUAL;
955 else if (ptys_equal &&
956 (strncmp(dn, "ttyp", strlen("ttyp")) == 0 ||
957 strncmp(dn, "pts/", strlen("pts/")) == 0 ||
958 strncmp(dn, "ptyp", strlen("ptyp")) == 0))
959 biba_type = MAC_BIBA_TYPE_EQUAL;
961 biba_type = MAC_BIBA_TYPE_HIGH;
962 biba_set_effective(mb, biba_type, 0, NULL);
966 biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
967 struct devfs_dirent *de, struct label *delabel)
973 biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
977 biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
978 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
979 struct label *delabel)
981 struct mac_biba *source, *dest;
983 source = SLOT(cred->cr_label);
984 dest = SLOT(delabel);
986 biba_copy_effective(source, dest);
990 biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
991 struct label *delabel, struct vnode *vp, struct label *vplabel)
993 struct mac_biba *source, *dest;
995 source = SLOT(vplabel);
996 dest = SLOT(delabel);
998 biba_copy(source, dest);
1002 biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
1003 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
1004 struct label *vplabel)
1006 struct mac_biba *source, *dest;
1008 source = SLOT(delabel);
1009 dest = SLOT(vplabel);
1011 biba_copy_effective(source, dest);
1015 biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
1016 struct label *ifplabel, struct label *newlabel)
1018 struct mac_biba *subj, *new;
1021 subj = SLOT(cred->cr_label);
1022 new = SLOT(newlabel);
1025 * If there is a Biba label update for the interface, it may be an
1026 * update of the effective, range, or both.
1028 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1033 * Relabling network interfaces requires Biba privilege.
1035 error = biba_subject_privileged(subj);
1043 biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
1044 struct mbuf *m, struct label *mlabel)
1046 struct mac_biba *p, *i;
1054 return (biba_effective_in_range(p, i) ? 0 : EACCES);
1058 biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
1060 char tifname[IFNAMSIZ], *p, *q;
1061 char tiflist[sizeof(trusted_interfaces)];
1062 struct mac_biba *dest;
1065 dest = SLOT(ifplabel);
1067 if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
1068 type = MAC_BIBA_TYPE_EQUAL;
1072 if (trust_all_interfaces) {
1073 type = MAC_BIBA_TYPE_HIGH;
1077 type = MAC_BIBA_TYPE_LOW;
1079 if (trusted_interfaces[0] == '\0' ||
1080 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
1083 bzero(tiflist, sizeof(tiflist));
1084 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
1085 if(*p != ' ' && *p != '\t')
1088 for (p = q = tiflist;; p++) {
1089 if (*p == ',' || *p == '\0') {
1091 if (len < IFNAMSIZ) {
1092 bzero(tifname, sizeof(tifname));
1093 bcopy(q, tifname, len);
1094 if (strcmp(tifname, ifp->if_xname) == 0) {
1095 type = MAC_BIBA_TYPE_HIGH;
1100 printf("mac_biba warning: interface name "
1101 "\"%s\" is too long (must be < %d)\n",
1110 biba_set_effective(dest, type, 0, NULL);
1111 biba_set_range(dest, type, 0, NULL, type, 0, NULL);
1115 biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
1116 struct mbuf *m, struct label *mlabel)
1118 struct mac_biba *source, *dest;
1120 source = SLOT(ifplabel);
1121 dest = SLOT(mlabel);
1123 biba_copy_effective(source, dest);
1127 biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1128 struct label *ifplabel, struct label *newlabel)
1130 struct mac_biba *source, *dest;
1132 source = SLOT(newlabel);
1133 dest = SLOT(ifplabel);
1135 biba_copy(source, dest);
1139 biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
1140 struct mbuf *m, struct label *mlabel)
1142 struct mac_biba *p, *i;
1150 return (biba_equal_effective(p, i) ? 0 : EACCES);
1154 biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
1155 struct label *inplabel)
1157 struct mac_biba *subj, *obj;
1162 subj = SLOT(cred->cr_label);
1163 obj = SLOT(inplabel);
1165 if (!biba_dominate_effective(obj, subj))
1172 biba_inpcb_create(struct socket *so, struct label *solabel,
1173 struct inpcb *inp, struct label *inplabel)
1175 struct mac_biba *source, *dest;
1177 source = SLOT(solabel);
1178 dest = SLOT(inplabel);
1181 biba_copy_effective(source, dest);
1186 biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
1187 struct mbuf *m, struct label *mlabel)
1189 struct mac_biba *source, *dest;
1191 source = SLOT(inplabel);
1192 dest = SLOT(mlabel);
1194 biba_copy_effective(source, dest);
1198 biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1199 struct inpcb *inp, struct label *inplabel)
1201 struct mac_biba *source, *dest;
1203 SOCK_LOCK_ASSERT(so);
1205 source = SLOT(solabel);
1206 dest = SLOT(inplabel);
1208 biba_copy(source, dest);
1212 biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1213 struct label *q6label)
1215 struct mac_biba *source, *dest;
1217 source = SLOT(mlabel);
1218 dest = SLOT(q6label);
1220 biba_copy_effective(source, dest);
1224 biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1225 struct label *q6label)
1227 struct mac_biba *a, *b;
1232 return (biba_equal_effective(a, b));
1236 biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
1237 struct label *mlabel)
1239 struct mac_biba *source, *dest;
1241 source = SLOT(q6label);
1242 dest = SLOT(mlabel);
1244 /* Just use the head, since we require them all to match. */
1245 biba_copy_effective(source, dest);
1249 biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1250 struct label *q6label)
1253 /* NOOP: we only accept matching labels, so no need to update */
1257 biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
1258 struct label *qlabel)
1260 struct mac_biba *source, *dest;
1262 source = SLOT(mlabel);
1263 dest = SLOT(qlabel);
1265 biba_copy_effective(source, dest);
1269 biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
1270 struct label *qlabel)
1272 struct mac_biba *a, *b;
1277 return (biba_equal_effective(a, b));
1281 biba_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
1282 struct label *mlabel)
1284 struct mac_biba *source, *dest;
1286 source = SLOT(qlabel);
1287 dest = SLOT(mlabel);
1289 /* Just use the head, since we require them all to match. */
1290 biba_copy_effective(source, dest);
1294 biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
1295 struct label *qlabel)
1298 /* NOOP: we only accept matching labels, so no need to update */
1302 biba_kld_check_load(struct ucred *cred, struct vnode *vp,
1303 struct label *vplabel)
1305 struct mac_biba *subj, *obj;
1311 subj = SLOT(cred->cr_label);
1313 error = biba_subject_privileged(subj);
1317 obj = SLOT(vplabel);
1318 if (!biba_high_effective(obj))
1325 biba_mount_check_stat(struct ucred *cred, struct mount *mp,
1326 struct label *mplabel)
1328 struct mac_biba *subj, *obj;
1333 subj = SLOT(cred->cr_label);
1334 obj = SLOT(mplabel);
1336 if (!biba_dominate_effective(obj, subj))
1343 biba_mount_create(struct ucred *cred, struct mount *mp,
1344 struct label *mplabel)
1346 struct mac_biba *source, *dest;
1348 source = SLOT(cred->cr_label);
1349 dest = SLOT(mplabel);
1351 biba_copy_effective(source, dest);
1355 biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
1356 struct mbuf *m, struct label *mlabel)
1358 struct mac_biba *dest;
1360 dest = SLOT(mlabel);
1362 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1366 biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1367 struct mbuf *msend, struct label *msendlabel)
1369 struct mac_biba *source, *dest;
1371 source = SLOT(mrecvlabel);
1372 dest = SLOT(msendlabel);
1374 biba_copy_effective(source, dest);
1378 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
1380 struct mac_biba *dest;
1382 dest = SLOT(mlabel);
1384 /* XXX: where is the label for the firewall really coming from? */
1385 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1389 biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
1390 struct mbuf *frag, struct label *fraglabel)
1392 struct mac_biba *source, *dest;
1394 source = SLOT(mlabel);
1395 dest = SLOT(fraglabel);
1397 biba_copy_effective(source, dest);
1401 biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1402 struct mbuf *msend, struct label *msendlabel)
1404 struct mac_biba *source, *dest;
1406 source = SLOT(mrecvlabel);
1407 dest = SLOT(msendlabel);
1409 biba_copy_effective(source, dest);
1413 biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
1414 struct mbuf *m, struct label *mlabel)
1416 struct mac_biba *dest;
1418 dest = SLOT(mlabel);
1420 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1424 biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
1425 struct mbuf *m, struct label *mlabel)
1427 struct mac_biba *dest;
1429 dest = SLOT(mlabel);
1431 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1435 biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1436 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
1442 /* XXX: This will be implemented soon... */
1448 biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1449 struct label *pplabel)
1451 struct mac_biba *subj, *obj;
1456 subj = SLOT(cred->cr_label);
1457 obj = SLOT(pplabel);
1459 if (!biba_dominate_effective(obj, subj))
1466 biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1467 struct label *pplabel)
1469 struct mac_biba *subj, *obj;
1474 subj = SLOT(cred->cr_label);
1475 obj = SLOT(pplabel);
1477 if (!biba_dominate_effective(obj, subj))
1484 biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1485 struct label *pplabel, struct label *newlabel)
1487 struct mac_biba *subj, *obj, *new;
1490 new = SLOT(newlabel);
1491 subj = SLOT(cred->cr_label);
1492 obj = SLOT(pplabel);
1495 * If there is a Biba label update for a pipe, it must be a effective
1498 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
1503 * To perform a relabel of a pipe (Biba label or not), Biba must
1504 * authorize the relabel.
1506 if (!biba_effective_in_range(obj, subj))
1510 * If the Biba label is to be changed, authorize as appropriate.
1512 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
1514 * To change the Biba label on a pipe, the new pipe label
1515 * must be in the subject range.
1517 if (!biba_effective_in_range(new, subj))
1521 * To change the Biba label on a pipe to be EQUAL, the
1522 * subject must have appropriate privilege.
1524 if (biba_contains_equal(new)) {
1525 error = biba_subject_privileged(subj);
1535 biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1536 struct label *pplabel)
1538 struct mac_biba *subj, *obj;
1543 subj = SLOT(cred->cr_label);
1544 obj = SLOT(pplabel);
1546 if (!biba_dominate_effective(obj, subj))
1553 biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1554 struct label *pplabel)
1556 struct mac_biba *subj, *obj;
1561 subj = SLOT(cred->cr_label);
1562 obj = SLOT(pplabel);
1564 if (!biba_dominate_effective(subj, obj))
1571 biba_pipe_create(struct ucred *cred, struct pipepair *pp,
1572 struct label *pplabel)
1574 struct mac_biba *source, *dest;
1576 source = SLOT(cred->cr_label);
1577 dest = SLOT(pplabel);
1579 biba_copy_effective(source, dest);
1583 biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1584 struct label *pplabel, struct label *newlabel)
1586 struct mac_biba *source, *dest;
1588 source = SLOT(newlabel);
1589 dest = SLOT(pplabel);
1591 biba_copy(source, dest);
1595 biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
1596 struct label *kslabel)
1598 struct mac_biba *subj, *obj;
1603 subj = SLOT(cred->cr_label);
1604 obj = SLOT(kslabel);
1606 if (!biba_dominate_effective(subj, obj))
1613 biba_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
1614 struct label *kslabel, mode_t mode)
1616 struct mac_biba *subj, *obj;
1621 subj = SLOT(cred->cr_label);
1622 obj = SLOT(kslabel);
1624 if (!biba_dominate_effective(subj, obj))
1631 biba_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
1632 struct label *kslabel, uid_t uid, gid_t gid)
1634 struct mac_biba *subj, *obj;
1639 subj = SLOT(cred->cr_label);
1640 obj = SLOT(kslabel);
1642 if (!biba_dominate_effective(subj, obj))
1649 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
1650 struct ksem *ks, struct label *kslabel)
1652 struct mac_biba *subj, *obj;
1657 subj = SLOT(active_cred->cr_label);
1658 obj = SLOT(kslabel);
1660 if (!biba_dominate_effective(subj, obj))
1667 biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
1668 struct ksem *ks, struct label *kslabel)
1670 struct mac_biba *subj, *obj;
1675 subj = SLOT(active_cred->cr_label);
1676 obj = SLOT(kslabel);
1678 if (!biba_dominate_effective(obj, subj))
1685 biba_posixsem_create(struct ucred *cred, struct ksem *ks,
1686 struct label *kslabel)
1688 struct mac_biba *source, *dest;
1690 source = SLOT(cred->cr_label);
1691 dest = SLOT(kslabel);
1693 biba_copy_effective(source, dest);
1697 biba_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
1698 struct label *shmlabel, int prot, int flags)
1700 struct mac_biba *subj, *obj;
1702 if (!biba_enabled || !revocation_enabled)
1705 subj = SLOT(cred->cr_label);
1706 obj = SLOT(shmlabel);
1708 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
1709 if (!biba_dominate_effective(obj, subj))
1712 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
1713 if (!biba_dominate_effective(subj, obj))
1721 biba_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
1722 struct label *shmlabel, accmode_t accmode)
1724 struct mac_biba *subj, *obj;
1729 subj = SLOT(cred->cr_label);
1730 obj = SLOT(shmlabel);
1732 if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
1733 if (!biba_dominate_effective(obj, subj))
1736 if (accmode & VMODIFY_PERMS) {
1737 if (!biba_dominate_effective(subj, obj))
1745 biba_posixshm_check_read(struct ucred *active_cred, struct ucred *file_cred,
1746 struct shmfd *vp, struct label *shmlabel)
1748 struct mac_biba *subj, *obj;
1750 if (!biba_enabled || !revocation_enabled)
1753 subj = SLOT(active_cred->cr_label);
1754 obj = SLOT(shmlabel);
1756 if (!biba_dominate_effective(obj, subj))
1763 biba_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
1764 struct label *shmlabel, mode_t mode)
1766 struct mac_biba *subj, *obj;
1771 subj = SLOT(cred->cr_label);
1772 obj = SLOT(shmlabel);
1774 if (!biba_dominate_effective(subj, obj))
1781 biba_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
1782 struct label *shmlabel, uid_t uid, gid_t gid)
1784 struct mac_biba *subj, *obj;
1789 subj = SLOT(cred->cr_label);
1790 obj = SLOT(shmlabel);
1792 if (!biba_dominate_effective(subj, obj))
1799 biba_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
1800 struct shmfd *shmfd, struct label *shmlabel)
1802 struct mac_biba *subj, *obj;
1807 subj = SLOT(active_cred->cr_label);
1808 obj = SLOT(shmlabel);
1810 if (!biba_dominate_effective(obj, subj))
1817 biba_posixshm_check_truncate(struct ucred *active_cred,
1818 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
1820 struct mac_biba *subj, *obj;
1825 subj = SLOT(active_cred->cr_label);
1826 obj = SLOT(shmlabel);
1828 if (!biba_dominate_effective(subj, obj))
1835 biba_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
1836 struct label *shmlabel)
1838 struct mac_biba *subj, *obj;
1843 subj = SLOT(cred->cr_label);
1844 obj = SLOT(shmlabel);
1846 if (!biba_dominate_effective(subj, obj))
1853 biba_posixshm_check_write(struct ucred *active_cred, struct ucred *file_cred,
1854 struct shmfd *vp, struct label *shmlabel)
1856 struct mac_biba *subj, *obj;
1858 if (!biba_enabled || !revocation_enabled)
1861 subj = SLOT(active_cred->cr_label);
1862 obj = SLOT(shmlabel);
1864 if (!biba_dominate_effective(obj, subj))
1871 biba_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
1872 struct label *shmlabel)
1874 struct mac_biba *source, *dest;
1876 source = SLOT(cred->cr_label);
1877 dest = SLOT(shmlabel);
1879 biba_copy_effective(source, dest);
1883 * Some system privileges are allowed regardless of integrity grade; others
1884 * are allowed only when running with privilege with respect to the Biba
1885 * policy as they might otherwise allow bypassing of the integrity policy.
1888 biba_priv_check(struct ucred *cred, int priv)
1890 struct mac_biba *subj;
1897 * Exempt only specific privileges from the Biba integrity policy.
1904 * Allow processes to manipulate basic process audit properties, and
1905 * to submit audit records.
1907 case PRIV_AUDIT_GETAUDIT:
1908 case PRIV_AUDIT_SETAUDIT:
1909 case PRIV_AUDIT_SUBMIT:
1912 * Allow processes to manipulate their regular UNIX credentials.
1914 case PRIV_CRED_SETUID:
1915 case PRIV_CRED_SETEUID:
1916 case PRIV_CRED_SETGID:
1917 case PRIV_CRED_SETEGID:
1918 case PRIV_CRED_SETGROUPS:
1919 case PRIV_CRED_SETREUID:
1920 case PRIV_CRED_SETREGID:
1921 case PRIV_CRED_SETRESUID:
1922 case PRIV_CRED_SETRESGID:
1925 * Allow processes to perform system monitoring.
1927 case PRIV_SEEOTHERGIDS:
1928 case PRIV_SEEOTHERUIDS:
1932 * Allow access to general process debugging facilities. We
1933 * separately control debugging based on MAC label.
1935 case PRIV_DEBUG_DIFFCRED:
1936 case PRIV_DEBUG_SUGID:
1937 case PRIV_DEBUG_UNPRIV:
1940 * Allow manipulating jails.
1942 case PRIV_JAIL_ATTACH:
1945 * Allow privilege with respect to the Partition policy, but not the
1948 case PRIV_MAC_PARTITION:
1951 * Allow privilege with respect to process resource limits and login
1954 case PRIV_PROC_LIMIT:
1955 case PRIV_PROC_SETLOGIN:
1956 case PRIV_PROC_SETRLIMIT:
1959 * Allow System V and POSIX IPC privileges.
1962 case PRIV_IPC_WRITE:
1963 case PRIV_IPC_ADMIN:
1964 case PRIV_IPC_MSGSIZE:
1968 * Allow certain scheduler manipulations -- possibly this should be
1969 * controlled by more fine-grained policy, as potentially low
1970 * integrity processes can deny CPU to higher integrity ones.
1972 case PRIV_SCHED_DIFFCRED:
1973 case PRIV_SCHED_SETPRIORITY:
1974 case PRIV_SCHED_RTPRIO:
1975 case PRIV_SCHED_SETPOLICY:
1976 case PRIV_SCHED_SET:
1977 case PRIV_SCHED_SETPARAM:
1980 * More IPC privileges.
1982 case PRIV_SEM_WRITE:
1985 * Allow signaling privileges subject to integrity policy.
1987 case PRIV_SIGNAL_DIFFCRED:
1988 case PRIV_SIGNAL_SUGID:
1991 * Allow access to only limited sysctls from lower integrity levels;
1992 * piggy-back on the Jail definition.
1994 case PRIV_SYSCTL_WRITEJAIL:
1997 * Allow TTY-based privileges, subject to general device access using
1998 * labels on TTY device nodes, but not console privilege.
2000 case PRIV_TTY_DRAINWAIT:
2001 case PRIV_TTY_DTRWAIT:
2002 case PRIV_TTY_EXCLUSIVE:
2007 * Grant most VFS privileges, as almost all are in practice bounded
2008 * by more specific checks using labels.
2011 case PRIV_VFS_WRITE:
2012 case PRIV_VFS_ADMIN:
2014 case PRIV_VFS_LOOKUP:
2015 case PRIV_VFS_CHFLAGS_DEV:
2016 case PRIV_VFS_CHOWN:
2017 case PRIV_VFS_CHROOT:
2018 case PRIV_VFS_RETAINSUGID:
2019 case PRIV_VFS_EXCEEDQUOTA:
2020 case PRIV_VFS_FCHROOT:
2021 case PRIV_VFS_FHOPEN:
2022 case PRIV_VFS_FHSTATFS:
2023 case PRIV_VFS_GENERATION:
2024 case PRIV_VFS_GETFH:
2025 case PRIV_VFS_GETQUOTA:
2027 case PRIV_VFS_MOUNT:
2028 case PRIV_VFS_MOUNT_OWNER:
2029 case PRIV_VFS_MOUNT_PERM:
2030 case PRIV_VFS_MOUNT_SUIDDIR:
2031 case PRIV_VFS_MOUNT_NONUSER:
2032 case PRIV_VFS_SETGID:
2033 case PRIV_VFS_STICKYFILE:
2034 case PRIV_VFS_SYSFLAGS:
2035 case PRIV_VFS_UNMOUNT:
2038 * Allow VM privileges; it would be nice if these were subject to
2041 case PRIV_VM_MADV_PROTECT:
2043 case PRIV_VM_MUNLOCK:
2044 case PRIV_VM_SWAP_NOQUOTA:
2045 case PRIV_VM_SWAP_NORLIMIT:
2048 * Allow some but not all network privileges. In general, dont allow
2049 * reconfiguring the network stack, just normal use.
2051 case PRIV_NETINET_RESERVEDPORT:
2052 case PRIV_NETINET_RAW:
2053 case PRIV_NETINET_REUSEPORT:
2057 * All remaining system privileges are allow only if the process
2058 * holds privilege with respect to the Biba policy.
2061 subj = SLOT(cred->cr_label);
2062 error = biba_subject_privileged(subj);
2070 biba_proc_check_debug(struct ucred *cred, struct proc *p)
2072 struct mac_biba *subj, *obj;
2077 subj = SLOT(cred->cr_label);
2078 obj = SLOT(p->p_ucred->cr_label);
2080 /* XXX: range checks */
2081 if (!biba_dominate_effective(obj, subj))
2083 if (!biba_dominate_effective(subj, obj))
2090 biba_proc_check_sched(struct ucred *cred, struct proc *p)
2092 struct mac_biba *subj, *obj;
2097 subj = SLOT(cred->cr_label);
2098 obj = SLOT(p->p_ucred->cr_label);
2100 /* XXX: range checks */
2101 if (!biba_dominate_effective(obj, subj))
2103 if (!biba_dominate_effective(subj, obj))
2110 biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
2112 struct mac_biba *subj, *obj;
2117 subj = SLOT(cred->cr_label);
2118 obj = SLOT(p->p_ucred->cr_label);
2120 /* XXX: range checks */
2121 if (!biba_dominate_effective(obj, subj))
2123 if (!biba_dominate_effective(subj, obj))
2130 biba_socket_check_deliver(struct socket *so, struct label *solabel,
2131 struct mbuf *m, struct label *mlabel)
2133 struct mac_biba *p, *s;
2143 error = biba_equal_effective(p, s) ? 0 : EACCES;
2149 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
2150 struct label *solabel, struct label *newlabel)
2152 struct mac_biba *subj, *obj, *new;
2155 SOCK_LOCK_ASSERT(so);
2157 new = SLOT(newlabel);
2158 subj = SLOT(cred->cr_label);
2159 obj = SLOT(solabel);
2162 * If there is a Biba label update for the socket, it may be an
2163 * update of effective.
2165 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
2170 * To relabel a socket, the old socket effective must be in the
2173 if (!biba_effective_in_range(obj, subj))
2177 * If the Biba label is to be changed, authorize as appropriate.
2179 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
2181 * To relabel a socket, the new socket effective must be in
2182 * the subject range.
2184 if (!biba_effective_in_range(new, subj))
2188 * To change the Biba label on the socket to contain EQUAL,
2189 * the subject must have appropriate privilege.
2191 if (biba_contains_equal(new)) {
2192 error = biba_subject_privileged(subj);
2202 biba_socket_check_visible(struct ucred *cred, struct socket *so,
2203 struct label *solabel)
2205 struct mac_biba *subj, *obj;
2210 subj = SLOT(cred->cr_label);
2211 obj = SLOT(solabel);
2214 if (!biba_dominate_effective(obj, subj)) {
2224 biba_socket_create(struct ucred *cred, struct socket *so,
2225 struct label *solabel)
2227 struct mac_biba *source, *dest;
2229 source = SLOT(cred->cr_label);
2230 dest = SLOT(solabel);
2232 biba_copy_effective(source, dest);
2236 biba_socket_create_mbuf(struct socket *so, struct label *solabel,
2237 struct mbuf *m, struct label *mlabel)
2239 struct mac_biba *source, *dest;
2241 source = SLOT(solabel);
2242 dest = SLOT(mlabel);
2245 biba_copy_effective(source, dest);
2250 biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
2251 struct socket *newso, struct label *newsolabel)
2253 struct mac_biba source, *dest;
2256 source = *SLOT(oldsolabel);
2259 dest = SLOT(newsolabel);
2262 biba_copy_effective(&source, dest);
2267 biba_socket_relabel(struct ucred *cred, struct socket *so,
2268 struct label *solabel, struct label *newlabel)
2270 struct mac_biba *source, *dest;
2272 SOCK_LOCK_ASSERT(so);
2274 source = SLOT(newlabel);
2275 dest = SLOT(solabel);
2277 biba_copy(source, dest);
2281 biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
2282 struct socket *so, struct label *sopeerlabel)
2284 struct mac_biba *source, *dest;
2286 source = SLOT(mlabel);
2287 dest = SLOT(sopeerlabel);
2290 biba_copy_effective(source, dest);
2295 biba_socketpeer_set_from_socket(struct socket *oldso,
2296 struct label *oldsolabel, struct socket *newso,
2297 struct label *newsopeerlabel)
2299 struct mac_biba source, *dest;
2302 source = *SLOT(oldsolabel);
2304 dest = SLOT(newsopeerlabel);
2307 biba_copy_effective(&source, dest);
2312 biba_syncache_create(struct label *label, struct inpcb *inp)
2314 struct mac_biba *source, *dest;
2316 source = SLOT(inp->inp_label);
2318 biba_copy_effective(source, dest);
2322 biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
2323 struct label *mlabel)
2325 struct mac_biba *source, *dest;
2327 source = SLOT(sc_label);
2328 dest = SLOT(mlabel);
2329 biba_copy_effective(source, dest);
2333 biba_system_check_acct(struct ucred *cred, struct vnode *vp,
2334 struct label *vplabel)
2336 struct mac_biba *subj, *obj;
2342 subj = SLOT(cred->cr_label);
2344 error = biba_subject_privileged(subj);
2348 if (vplabel == NULL)
2351 obj = SLOT(vplabel);
2352 if (!biba_high_effective(obj))
2359 biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2360 struct label *vplabel)
2362 struct mac_biba *subj, *obj;
2368 subj = SLOT(cred->cr_label);
2370 error = biba_subject_privileged(subj);
2374 if (vplabel == NULL)
2377 obj = SLOT(vplabel);
2378 if (!biba_high_effective(obj))
2385 biba_system_check_auditon(struct ucred *cred, int cmd)
2387 struct mac_biba *subj;
2393 subj = SLOT(cred->cr_label);
2395 error = biba_subject_privileged(subj);
2403 biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
2404 struct label *label)
2406 struct mac_biba *subj;
2412 subj = SLOT(cred->cr_label);
2414 error = biba_subject_privileged(subj);
2422 biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
2423 struct label *vplabel)
2425 struct mac_biba *subj, *obj;
2431 subj = SLOT(cred->cr_label);
2432 obj = SLOT(vplabel);
2434 error = biba_subject_privileged(subj);
2438 if (!biba_high_effective(obj))
2445 biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2446 void *arg1, int arg2, struct sysctl_req *req)
2448 struct mac_biba *subj;
2454 subj = SLOT(cred->cr_label);
2457 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
2458 * but also require privilege to change them.
2460 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
2461 if (!biba_subject_dominate_high(subj))
2464 error = biba_subject_privileged(subj);
2473 biba_sysvmsg_cleanup(struct label *msglabel)
2476 bzero(SLOT(msglabel), sizeof(struct mac_biba));
2480 biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2481 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
2483 struct mac_biba *source, *dest;
2485 /* Ignore the msgq label */
2486 source = SLOT(cred->cr_label);
2487 dest = SLOT(msglabel);
2489 biba_copy_effective(source, dest);
2493 biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
2494 struct label *msglabel)
2496 struct mac_biba *subj, *obj;
2501 subj = SLOT(cred->cr_label);
2502 obj = SLOT(msglabel);
2504 if (!biba_dominate_effective(obj, subj))
2511 biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
2512 struct label *msglabel)
2514 struct mac_biba *subj, *obj;
2519 subj = SLOT(cred->cr_label);
2520 obj = SLOT(msglabel);
2522 if (!biba_dominate_effective(subj, obj))
2529 biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
2530 struct label *msqklabel)
2532 struct mac_biba *subj, *obj;
2537 subj = SLOT(cred->cr_label);
2538 obj = SLOT(msqklabel);
2540 if (!biba_dominate_effective(obj, subj))
2547 biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
2548 struct label *msqklabel)
2550 struct mac_biba *subj, *obj;
2555 subj = SLOT(cred->cr_label);
2556 obj = SLOT(msqklabel);
2558 if (!biba_dominate_effective(subj, obj))
2565 biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
2566 struct label *msqklabel)
2568 struct mac_biba *subj, *obj;
2573 subj = SLOT(cred->cr_label);
2574 obj = SLOT(msqklabel);
2576 if (!biba_dominate_effective(obj, subj))
2583 biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
2584 struct label *msqklabel, int cmd)
2586 struct mac_biba *subj, *obj;
2591 subj = SLOT(cred->cr_label);
2592 obj = SLOT(msqklabel);
2597 if (!biba_dominate_effective(subj, obj))
2602 if (!biba_dominate_effective(obj, subj))
2614 biba_sysvmsq_cleanup(struct label *msqlabel)
2617 bzero(SLOT(msqlabel), sizeof(struct mac_biba));
2621 biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2622 struct label *msqlabel)
2624 struct mac_biba *source, *dest;
2626 source = SLOT(cred->cr_label);
2627 dest = SLOT(msqlabel);
2629 biba_copy_effective(source, dest);
2633 biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
2634 struct label *semaklabel, int cmd)
2636 struct mac_biba *subj, *obj;
2641 subj = SLOT(cred->cr_label);
2642 obj = SLOT(semaklabel);
2649 if (!biba_dominate_effective(subj, obj))
2659 if (!biba_dominate_effective(obj, subj))
2671 biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
2672 struct label *semaklabel)
2674 struct mac_biba *subj, *obj;
2679 subj = SLOT(cred->cr_label);
2680 obj = SLOT(semaklabel);
2682 if (!biba_dominate_effective(obj, subj))
2689 biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
2690 struct label *semaklabel, size_t accesstype)
2692 struct mac_biba *subj, *obj;
2697 subj = SLOT(cred->cr_label);
2698 obj = SLOT(semaklabel);
2700 if (accesstype & SEM_R)
2701 if (!biba_dominate_effective(obj, subj))
2704 if (accesstype & SEM_A)
2705 if (!biba_dominate_effective(subj, obj))
2712 biba_sysvsem_cleanup(struct label *semalabel)
2715 bzero(SLOT(semalabel), sizeof(struct mac_biba));
2719 biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
2720 struct label *semalabel)
2722 struct mac_biba *source, *dest;
2724 source = SLOT(cred->cr_label);
2725 dest = SLOT(semalabel);
2727 biba_copy_effective(source, dest);
2731 biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
2732 struct label *shmseglabel, int shmflg)
2734 struct mac_biba *subj, *obj;
2739 subj = SLOT(cred->cr_label);
2740 obj = SLOT(shmseglabel);
2742 if (!biba_dominate_effective(obj, subj))
2744 if ((shmflg & SHM_RDONLY) == 0) {
2745 if (!biba_dominate_effective(subj, obj))
2753 biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
2754 struct label *shmseglabel, int cmd)
2756 struct mac_biba *subj, *obj;
2761 subj = SLOT(cred->cr_label);
2762 obj = SLOT(shmseglabel);
2767 if (!biba_dominate_effective(subj, obj))
2773 if (!biba_dominate_effective(obj, subj))
2785 biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
2786 struct label *shmseglabel, int shmflg)
2788 struct mac_biba *subj, *obj;
2793 subj = SLOT(cred->cr_label);
2794 obj = SLOT(shmseglabel);
2796 if (!biba_dominate_effective(obj, subj))
2803 biba_sysvshm_cleanup(struct label *shmlabel)
2806 bzero(SLOT(shmlabel), sizeof(struct mac_biba));
2810 biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
2811 struct label *shmlabel)
2813 struct mac_biba *source, *dest;
2815 source = SLOT(cred->cr_label);
2816 dest = SLOT(shmlabel);
2818 biba_copy_effective(source, dest);
2822 biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
2823 struct vnode *vp, struct label *vplabel)
2825 struct mac_biba mb_temp, *source, *dest;
2828 source = SLOT(mplabel);
2829 dest = SLOT(vplabel);
2831 buflen = sizeof(mb_temp);
2832 bzero(&mb_temp, buflen);
2834 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
2835 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
2836 if (error == ENOATTR || error == EOPNOTSUPP) {
2837 /* Fall back to the mntlabel. */
2838 biba_copy_effective(source, dest);
2843 if (buflen != sizeof(mb_temp)) {
2844 printf("biba_vnode_associate_extattr: bad size %d\n",
2848 if (biba_valid(&mb_temp) != 0) {
2849 printf("biba_vnode_associate_extattr: invalid\n");
2852 if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
2853 MAC_BIBA_FLAG_EFFECTIVE) {
2854 printf("biba_vnode_associate_extattr: not effective\n");
2858 biba_copy_effective(&mb_temp, dest);
2863 biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
2864 struct vnode *vp, struct label *vplabel)
2866 struct mac_biba *source, *dest;
2868 source = SLOT(mplabel);
2869 dest = SLOT(vplabel);
2871 biba_copy_effective(source, dest);
2875 biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2876 struct label *dvplabel)
2878 struct mac_biba *subj, *obj;
2883 subj = SLOT(cred->cr_label);
2884 obj = SLOT(dvplabel);
2886 if (!biba_dominate_effective(obj, subj))
2893 biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2894 struct label *dvplabel)
2896 struct mac_biba *subj, *obj;
2901 subj = SLOT(cred->cr_label);
2902 obj = SLOT(dvplabel);
2904 if (!biba_dominate_effective(obj, subj))
2911 biba_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2912 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2914 struct mac_biba *subj, *obj;
2919 subj = SLOT(cred->cr_label);
2920 obj = SLOT(dvplabel);
2922 if (!biba_dominate_effective(subj, obj))
2929 biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2930 struct label *vplabel, acl_type_t type)
2932 struct mac_biba *subj, *obj;
2937 subj = SLOT(cred->cr_label);
2938 obj = SLOT(vplabel);
2940 if (!biba_dominate_effective(subj, obj))
2947 biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2948 struct label *vplabel, int attrnamespace, const char *name)
2950 struct mac_biba *subj, *obj;
2955 subj = SLOT(cred->cr_label);
2956 obj = SLOT(vplabel);
2958 if (!biba_dominate_effective(subj, obj))
2965 biba_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2966 struct label *vplabel, struct image_params *imgp,
2967 struct label *execlabel)
2969 struct mac_biba *subj, *obj, *exec;
2972 if (execlabel != NULL) {
2974 * We currently don't permit labels to be changed at
2975 * exec-time as part of Biba, so disallow non-NULL Biba label
2976 * elements in the execlabel.
2978 exec = SLOT(execlabel);
2979 error = biba_atmostflags(exec, 0);
2987 subj = SLOT(cred->cr_label);
2988 obj = SLOT(vplabel);
2990 if (!biba_dominate_effective(obj, subj))
2997 biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2998 struct label *vplabel, acl_type_t type)
3000 struct mac_biba *subj, *obj;
3005 subj = SLOT(cred->cr_label);
3006 obj = SLOT(vplabel);
3008 if (!biba_dominate_effective(obj, subj))
3015 biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
3016 struct label *vplabel, int attrnamespace, const char *name)
3018 struct mac_biba *subj, *obj;
3023 subj = SLOT(cred->cr_label);
3024 obj = SLOT(vplabel);
3026 if (!biba_dominate_effective(obj, subj))
3033 biba_vnode_check_link(struct ucred *cred, struct vnode *dvp,
3034 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3035 struct componentname *cnp)
3037 struct mac_biba *subj, *obj;
3042 subj = SLOT(cred->cr_label);
3043 obj = SLOT(dvplabel);
3045 if (!biba_dominate_effective(subj, obj))
3048 obj = SLOT(vplabel);
3050 if (!biba_dominate_effective(subj, obj))
3057 biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
3058 struct label *vplabel, int attrnamespace)
3060 struct mac_biba *subj, *obj;
3065 subj = SLOT(cred->cr_label);
3066 obj = SLOT(vplabel);
3068 if (!biba_dominate_effective(obj, subj))
3075 biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
3076 struct label *dvplabel, struct componentname *cnp)
3078 struct mac_biba *subj, *obj;
3083 subj = SLOT(cred->cr_label);
3084 obj = SLOT(dvplabel);
3086 if (!biba_dominate_effective(obj, subj))
3093 biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
3094 struct label *vplabel, int prot, int flags)
3096 struct mac_biba *subj, *obj;
3099 * Rely on the use of open()-time protections to handle
3100 * non-revocation cases.
3102 if (!biba_enabled || !revocation_enabled)
3105 subj = SLOT(cred->cr_label);
3106 obj = SLOT(vplabel);
3108 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
3109 if (!biba_dominate_effective(obj, subj))
3112 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
3113 if (!biba_dominate_effective(subj, obj))
3121 biba_vnode_check_open(struct ucred *cred, struct vnode *vp,
3122 struct label *vplabel, accmode_t accmode)
3124 struct mac_biba *subj, *obj;
3129 subj = SLOT(cred->cr_label);
3130 obj = SLOT(vplabel);
3132 /* XXX privilege override for admin? */
3133 if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
3134 if (!biba_dominate_effective(obj, subj))
3137 if (accmode & VMODIFY_PERMS) {
3138 if (!biba_dominate_effective(subj, obj))
3146 biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
3147 struct vnode *vp, struct label *vplabel)
3149 struct mac_biba *subj, *obj;
3151 if (!biba_enabled || !revocation_enabled)
3154 subj = SLOT(active_cred->cr_label);
3155 obj = SLOT(vplabel);
3157 if (!biba_dominate_effective(obj, subj))
3164 biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
3165 struct vnode *vp, struct label *vplabel)
3167 struct mac_biba *subj, *obj;
3169 if (!biba_enabled || !revocation_enabled)
3172 subj = SLOT(active_cred->cr_label);
3173 obj = SLOT(vplabel);
3175 if (!biba_dominate_effective(obj, subj))
3182 biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
3183 struct label *dvplabel)
3185 struct mac_biba *subj, *obj;
3190 subj = SLOT(cred->cr_label);
3191 obj = SLOT(dvplabel);
3193 if (!biba_dominate_effective(obj, subj))
3200 biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
3201 struct label *vplabel)
3203 struct mac_biba *subj, *obj;
3208 subj = SLOT(cred->cr_label);
3209 obj = SLOT(vplabel);
3211 if (!biba_dominate_effective(obj, subj))
3218 biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
3219 struct label *vplabel, struct label *newlabel)
3221 struct mac_biba *old, *new, *subj;
3224 old = SLOT(vplabel);
3225 new = SLOT(newlabel);
3226 subj = SLOT(cred->cr_label);
3229 * If there is a Biba label update for the vnode, it must be a
3232 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
3237 * To perform a relabel of the vnode (Biba label or not), Biba must
3238 * authorize the relabel.
3240 if (!biba_effective_in_range(old, subj))
3244 * If the Biba label is to be changed, authorize as appropriate.
3246 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
3248 * To change the Biba label on a vnode, the new vnode label
3249 * must be in the subject range.
3251 if (!biba_effective_in_range(new, subj))
3255 * To change the Biba label on the vnode to be EQUAL, the
3256 * subject must have appropriate privilege.
3258 if (biba_contains_equal(new)) {
3259 error = biba_subject_privileged(subj);
3269 biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
3270 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3271 struct componentname *cnp)
3273 struct mac_biba *subj, *obj;
3278 subj = SLOT(cred->cr_label);
3279 obj = SLOT(dvplabel);
3281 if (!biba_dominate_effective(subj, obj))
3284 obj = SLOT(vplabel);
3286 if (!biba_dominate_effective(subj, obj))
3293 biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
3294 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3295 int samedir, struct componentname *cnp)
3297 struct mac_biba *subj, *obj;
3302 subj = SLOT(cred->cr_label);
3303 obj = SLOT(dvplabel);
3305 if (!biba_dominate_effective(subj, obj))
3309 obj = SLOT(vplabel);
3311 if (!biba_dominate_effective(subj, obj))
3319 biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
3320 struct label *vplabel)
3322 struct mac_biba *subj, *obj;
3327 subj = SLOT(cred->cr_label);
3328 obj = SLOT(vplabel);
3330 if (!biba_dominate_effective(subj, obj))
3337 biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
3338 struct label *vplabel, acl_type_t type, struct acl *acl)
3340 struct mac_biba *subj, *obj;
3345 subj = SLOT(cred->cr_label);
3346 obj = SLOT(vplabel);
3348 if (!biba_dominate_effective(subj, obj))
3355 biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
3356 struct label *vplabel, int attrnamespace, const char *name)
3358 struct mac_biba *subj, *obj;
3363 subj = SLOT(cred->cr_label);
3364 obj = SLOT(vplabel);
3366 if (!biba_dominate_effective(subj, obj))
3369 /* XXX: protect the MAC EA in a special way? */
3375 biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
3376 struct label *vplabel, u_long flags)
3378 struct mac_biba *subj, *obj;
3383 subj = SLOT(cred->cr_label);
3384 obj = SLOT(vplabel);
3386 if (!biba_dominate_effective(subj, obj))
3393 biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
3394 struct label *vplabel, mode_t mode)
3396 struct mac_biba *subj, *obj;
3401 subj = SLOT(cred->cr_label);
3402 obj = SLOT(vplabel);
3404 if (!biba_dominate_effective(subj, obj))
3411 biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
3412 struct label *vplabel, uid_t uid, gid_t gid)
3414 struct mac_biba *subj, *obj;
3419 subj = SLOT(cred->cr_label);
3420 obj = SLOT(vplabel);
3422 if (!biba_dominate_effective(subj, obj))
3429 biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
3430 struct label *vplabel, struct timespec atime, struct timespec mtime)
3432 struct mac_biba *subj, *obj;
3437 subj = SLOT(cred->cr_label);
3438 obj = SLOT(vplabel);
3440 if (!biba_dominate_effective(subj, obj))
3447 biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
3448 struct vnode *vp, struct label *vplabel)
3450 struct mac_biba *subj, *obj;
3455 subj = SLOT(active_cred->cr_label);
3456 obj = SLOT(vplabel);
3458 if (!biba_dominate_effective(obj, subj))
3465 biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
3466 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3467 struct componentname *cnp)
3469 struct mac_biba *subj, *obj;
3474 subj = SLOT(cred->cr_label);
3475 obj = SLOT(dvplabel);
3477 if (!biba_dominate_effective(subj, obj))
3480 obj = SLOT(vplabel);
3482 if (!biba_dominate_effective(subj, obj))
3489 biba_vnode_check_write(struct ucred *active_cred,
3490 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
3492 struct mac_biba *subj, *obj;
3494 if (!biba_enabled || !revocation_enabled)
3497 subj = SLOT(active_cred->cr_label);
3498 obj = SLOT(vplabel);
3500 if (!biba_dominate_effective(subj, obj))
3507 biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
3508 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
3509 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
3511 struct mac_biba *source, *dest, mb_temp;
3515 buflen = sizeof(mb_temp);
3516 bzero(&mb_temp, buflen);
3518 source = SLOT(cred->cr_label);
3519 dest = SLOT(vplabel);
3520 biba_copy_effective(source, &mb_temp);
3522 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3523 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3525 biba_copy_effective(source, dest);
3530 biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
3531 struct label *vplabel, struct label *newlabel)
3533 struct mac_biba *source, *dest;
3535 source = SLOT(newlabel);
3536 dest = SLOT(vplabel);
3538 biba_copy(source, dest);
3542 biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
3543 struct label *vplabel, struct label *intlabel)
3545 struct mac_biba *source, mb_temp;
3549 buflen = sizeof(mb_temp);
3550 bzero(&mb_temp, buflen);
3552 source = SLOT(intlabel);
3553 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
3556 biba_copy_effective(source, &mb_temp);
3558 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3559 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3563 static struct mac_policy_ops mac_biba_ops =
3565 .mpo_init = biba_init,
3567 .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
3568 .mpo_bpfdesc_create = biba_bpfdesc_create,
3569 .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
3570 .mpo_bpfdesc_destroy_label = biba_destroy_label,
3571 .mpo_bpfdesc_init_label = biba_init_label,
3573 .mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
3574 .mpo_cred_check_relabel = biba_cred_check_relabel,
3575 .mpo_cred_check_visible = biba_cred_check_visible,
3576 .mpo_cred_copy_label = biba_copy_label,
3577 .mpo_cred_create_init = biba_cred_create_init,
3578 .mpo_cred_create_swapper = biba_cred_create_swapper,
3579 .mpo_cred_destroy_label = biba_destroy_label,
3580 .mpo_cred_externalize_label = biba_externalize_label,
3581 .mpo_cred_init_label = biba_init_label,
3582 .mpo_cred_internalize_label = biba_internalize_label,
3583 .mpo_cred_relabel = biba_cred_relabel,
3585 .mpo_devfs_create_device = biba_devfs_create_device,
3586 .mpo_devfs_create_directory = biba_devfs_create_directory,
3587 .mpo_devfs_create_symlink = biba_devfs_create_symlink,
3588 .mpo_devfs_destroy_label = biba_destroy_label,
3589 .mpo_devfs_init_label = biba_init_label,
3590 .mpo_devfs_update = biba_devfs_update,
3591 .mpo_devfs_vnode_associate = biba_devfs_vnode_associate,
3593 .mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
3594 .mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
3595 .mpo_ifnet_copy_label = biba_copy_label,
3596 .mpo_ifnet_create = biba_ifnet_create,
3597 .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
3598 .mpo_ifnet_destroy_label = biba_destroy_label,
3599 .mpo_ifnet_externalize_label = biba_externalize_label,
3600 .mpo_ifnet_init_label = biba_init_label,
3601 .mpo_ifnet_internalize_label = biba_internalize_label,
3602 .mpo_ifnet_relabel = biba_ifnet_relabel,
3604 .mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
3605 .mpo_inpcb_check_visible = biba_inpcb_check_visible,
3606 .mpo_inpcb_create = biba_inpcb_create,
3607 .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
3608 .mpo_inpcb_destroy_label = biba_destroy_label,
3609 .mpo_inpcb_init_label = biba_init_label_waitcheck,
3610 .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
3612 .mpo_ip6q_create = biba_ip6q_create,
3613 .mpo_ip6q_destroy_label = biba_destroy_label,
3614 .mpo_ip6q_init_label = biba_init_label_waitcheck,
3615 .mpo_ip6q_match = biba_ip6q_match,
3616 .mpo_ip6q_reassemble = biba_ip6q_reassemble,
3617 .mpo_ip6q_update = biba_ip6q_update,
3619 .mpo_ipq_create = biba_ipq_create,
3620 .mpo_ipq_destroy_label = biba_destroy_label,
3621 .mpo_ipq_init_label = biba_init_label_waitcheck,
3622 .mpo_ipq_match = biba_ipq_match,
3623 .mpo_ipq_reassemble = biba_ipq_reassemble,
3624 .mpo_ipq_update = biba_ipq_update,
3626 .mpo_kld_check_load = biba_kld_check_load,
3628 .mpo_mbuf_copy_label = biba_copy_label,
3629 .mpo_mbuf_destroy_label = biba_destroy_label,
3630 .mpo_mbuf_init_label = biba_init_label_waitcheck,
3632 .mpo_mount_check_stat = biba_mount_check_stat,
3633 .mpo_mount_create = biba_mount_create,
3634 .mpo_mount_destroy_label = biba_destroy_label,
3635 .mpo_mount_init_label = biba_init_label,
3637 .mpo_netinet_arp_send = biba_netinet_arp_send,
3638 .mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
3639 .mpo_netinet_firewall_send = biba_netinet_firewall_send,
3640 .mpo_netinet_fragment = biba_netinet_fragment,
3641 .mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
3642 .mpo_netinet_igmp_send = biba_netinet_igmp_send,
3644 .mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
3646 .mpo_pipe_check_ioctl = biba_pipe_check_ioctl,
3647 .mpo_pipe_check_poll = biba_pipe_check_poll,
3648 .mpo_pipe_check_read = biba_pipe_check_read,
3649 .mpo_pipe_check_relabel = biba_pipe_check_relabel,
3650 .mpo_pipe_check_stat = biba_pipe_check_stat,
3651 .mpo_pipe_check_write = biba_pipe_check_write,
3652 .mpo_pipe_copy_label = biba_copy_label,
3653 .mpo_pipe_create = biba_pipe_create,
3654 .mpo_pipe_destroy_label = biba_destroy_label,
3655 .mpo_pipe_externalize_label = biba_externalize_label,
3656 .mpo_pipe_init_label = biba_init_label,
3657 .mpo_pipe_internalize_label = biba_internalize_label,
3658 .mpo_pipe_relabel = biba_pipe_relabel,
3660 .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
3661 .mpo_posixsem_check_open = biba_posixsem_check_openunlink,
3662 .mpo_posixsem_check_post = biba_posixsem_check_write,
3663 .mpo_posixsem_check_setmode = biba_posixsem_check_setmode,
3664 .mpo_posixsem_check_setowner = biba_posixsem_check_setowner,
3665 .mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
3666 .mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
3667 .mpo_posixsem_check_wait = biba_posixsem_check_write,
3668 .mpo_posixsem_create = biba_posixsem_create,
3669 .mpo_posixsem_destroy_label = biba_destroy_label,
3670 .mpo_posixsem_init_label = biba_init_label,
3672 .mpo_posixshm_check_mmap = biba_posixshm_check_mmap,
3673 .mpo_posixshm_check_open = biba_posixshm_check_open,
3674 .mpo_posixshm_check_read = biba_posixshm_check_read,
3675 .mpo_posixshm_check_setmode = biba_posixshm_check_setmode,
3676 .mpo_posixshm_check_setowner = biba_posixshm_check_setowner,
3677 .mpo_posixshm_check_stat = biba_posixshm_check_stat,
3678 .mpo_posixshm_check_truncate = biba_posixshm_check_truncate,
3679 .mpo_posixshm_check_unlink = biba_posixshm_check_unlink,
3680 .mpo_posixshm_check_write = biba_posixshm_check_write,
3681 .mpo_posixshm_create = biba_posixshm_create,
3682 .mpo_posixshm_destroy_label = biba_destroy_label,
3683 .mpo_posixshm_init_label = biba_init_label,
3685 .mpo_priv_check = biba_priv_check,
3687 .mpo_proc_check_debug = biba_proc_check_debug,
3688 .mpo_proc_check_sched = biba_proc_check_sched,
3689 .mpo_proc_check_signal = biba_proc_check_signal,
3691 .mpo_socket_check_deliver = biba_socket_check_deliver,
3692 .mpo_socket_check_relabel = biba_socket_check_relabel,
3693 .mpo_socket_check_visible = biba_socket_check_visible,
3694 .mpo_socket_copy_label = biba_copy_label,
3695 .mpo_socket_create = biba_socket_create,
3696 .mpo_socket_create_mbuf = biba_socket_create_mbuf,
3697 .mpo_socket_destroy_label = biba_destroy_label,
3698 .mpo_socket_externalize_label = biba_externalize_label,
3699 .mpo_socket_init_label = biba_init_label_waitcheck,
3700 .mpo_socket_internalize_label = biba_internalize_label,
3701 .mpo_socket_newconn = biba_socket_newconn,
3702 .mpo_socket_relabel = biba_socket_relabel,
3704 .mpo_socketpeer_destroy_label = biba_destroy_label,
3705 .mpo_socketpeer_externalize_label = biba_externalize_label,
3706 .mpo_socketpeer_init_label = biba_init_label_waitcheck,
3707 .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
3708 .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
3710 .mpo_syncache_create = biba_syncache_create,
3711 .mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
3712 .mpo_syncache_destroy_label = biba_destroy_label,
3713 .mpo_syncache_init_label = biba_init_label_waitcheck,
3715 .mpo_system_check_acct = biba_system_check_acct,
3716 .mpo_system_check_auditctl = biba_system_check_auditctl,
3717 .mpo_system_check_auditon = biba_system_check_auditon,
3718 .mpo_system_check_swapoff = biba_system_check_swapoff,
3719 .mpo_system_check_swapon = biba_system_check_swapon,
3720 .mpo_system_check_sysctl = biba_system_check_sysctl,
3722 .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
3723 .mpo_sysvmsg_create = biba_sysvmsg_create,
3724 .mpo_sysvmsg_destroy_label = biba_destroy_label,
3725 .mpo_sysvmsg_init_label = biba_init_label,
3727 .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
3728 .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
3729 .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
3730 .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
3731 .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
3732 .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
3733 .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
3734 .mpo_sysvmsq_create = biba_sysvmsq_create,
3735 .mpo_sysvmsq_destroy_label = biba_destroy_label,
3736 .mpo_sysvmsq_init_label = biba_init_label,
3738 .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
3739 .mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
3740 .mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
3741 .mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
3742 .mpo_sysvsem_create = biba_sysvsem_create,
3743 .mpo_sysvsem_destroy_label = biba_destroy_label,
3744 .mpo_sysvsem_init_label = biba_init_label,
3746 .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
3747 .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
3748 .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
3749 .mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
3750 .mpo_sysvshm_create = biba_sysvshm_create,
3751 .mpo_sysvshm_destroy_label = biba_destroy_label,
3752 .mpo_sysvshm_init_label = biba_init_label,
3754 .mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
3755 .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
3756 .mpo_vnode_check_access = biba_vnode_check_open,
3757 .mpo_vnode_check_chdir = biba_vnode_check_chdir,
3758 .mpo_vnode_check_chroot = biba_vnode_check_chroot,
3759 .mpo_vnode_check_create = biba_vnode_check_create,
3760 .mpo_vnode_check_deleteacl = biba_vnode_check_deleteacl,
3761 .mpo_vnode_check_deleteextattr = biba_vnode_check_deleteextattr,
3762 .mpo_vnode_check_exec = biba_vnode_check_exec,
3763 .mpo_vnode_check_getacl = biba_vnode_check_getacl,
3764 .mpo_vnode_check_getextattr = biba_vnode_check_getextattr,
3765 .mpo_vnode_check_link = biba_vnode_check_link,
3766 .mpo_vnode_check_listextattr = biba_vnode_check_listextattr,
3767 .mpo_vnode_check_lookup = biba_vnode_check_lookup,
3768 .mpo_vnode_check_mmap = biba_vnode_check_mmap,
3769 .mpo_vnode_check_open = biba_vnode_check_open,
3770 .mpo_vnode_check_poll = biba_vnode_check_poll,
3771 .mpo_vnode_check_read = biba_vnode_check_read,
3772 .mpo_vnode_check_readdir = biba_vnode_check_readdir,
3773 .mpo_vnode_check_readlink = biba_vnode_check_readlink,
3774 .mpo_vnode_check_relabel = biba_vnode_check_relabel,
3775 .mpo_vnode_check_rename_from = biba_vnode_check_rename_from,
3776 .mpo_vnode_check_rename_to = biba_vnode_check_rename_to,
3777 .mpo_vnode_check_revoke = biba_vnode_check_revoke,
3778 .mpo_vnode_check_setacl = biba_vnode_check_setacl,
3779 .mpo_vnode_check_setextattr = biba_vnode_check_setextattr,
3780 .mpo_vnode_check_setflags = biba_vnode_check_setflags,
3781 .mpo_vnode_check_setmode = biba_vnode_check_setmode,
3782 .mpo_vnode_check_setowner = biba_vnode_check_setowner,
3783 .mpo_vnode_check_setutimes = biba_vnode_check_setutimes,
3784 .mpo_vnode_check_stat = biba_vnode_check_stat,
3785 .mpo_vnode_check_unlink = biba_vnode_check_unlink,
3786 .mpo_vnode_check_write = biba_vnode_check_write,
3787 .mpo_vnode_create_extattr = biba_vnode_create_extattr,
3788 .mpo_vnode_copy_label = biba_copy_label,
3789 .mpo_vnode_destroy_label = biba_destroy_label,
3790 .mpo_vnode_externalize_label = biba_externalize_label,
3791 .mpo_vnode_init_label = biba_init_label,
3792 .mpo_vnode_internalize_label = biba_internalize_label,
3793 .mpo_vnode_relabel = biba_vnode_relabel,
3794 .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
3797 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
3798 MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);
projects / FreeBSD / FreeBSD.git / blob