2 * Copyright (c) 1999-2002 Robert N. M. Watson
3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
9 * the Security Research Division of Network Associates, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Developed by the TrustedBSD Project.
39 * Low-watermark floating label mandatory integrity policy.
42 #include <sys/types.h>
43 #include <sys/param.h>
46 #include <sys/extattr.h>
47 #include <sys/kernel.h>
49 #include <sys/malloc.h>
51 #include <sys/mount.h>
54 #include <sys/systm.h>
55 #include <sys/sysproto.h>
56 #include <sys/sysent.h>
57 #include <sys/systm.h>
58 #include <sys/vnode.h>
60 #include <sys/socket.h>
61 #include <sys/socketvar.h>
64 #include <sys/sysctl.h>
65 #include <sys/syslog.h>
67 #include <fs/devfs/devfs.h>
69 #include <net/bpfdesc.h>
71 #include <net/if_types.h>
72 #include <net/if_var.h>
74 #include <netinet/in.h>
75 #include <netinet/in_pcb.h>
76 #include <netinet/ip_var.h>
80 #include <sys/mac_policy.h>
82 #include <security/mac_lomac/mac_lomac.h>
84 struct mac_lomac_proc {
85 struct mac_lomac mac_lomac;
89 SYSCTL_DECL(_security_mac);
91 SYSCTL_NODE(_security_mac, OID_AUTO, lomac, CTLFLAG_RW, 0,
92 "TrustedBSD mac_lomac policy controls");
94 static int mac_lomac_label_size = sizeof(struct mac_lomac);
95 SYSCTL_INT(_security_mac_lomac, OID_AUTO, label_size, CTLFLAG_RD,
96 &mac_lomac_label_size, 0, "Size of struct mac_lomac");
98 static int mac_lomac_enabled = 1;
99 SYSCTL_INT(_security_mac_lomac, OID_AUTO, enabled, CTLFLAG_RW,
100 &mac_lomac_enabled, 0, "Enforce MAC/LOMAC policy");
101 TUNABLE_INT("security.mac.lomac.enabled", &mac_lomac_enabled);
103 static int destroyed_not_inited;
104 SYSCTL_INT(_security_mac_lomac, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
105 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
107 static int trust_all_interfaces = 0;
108 SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
109 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/LOMAC");
110 TUNABLE_INT("security.mac.lomac.trust_all_interfaces", &trust_all_interfaces);
112 static char trusted_interfaces[128];
113 SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
114 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/LOMAC");
115 TUNABLE_STR("security.mac.lomac.trusted_interfaces", trusted_interfaces,
116 sizeof(trusted_interfaces));
118 static int ptys_equal = 0;
119 SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RW,
120 &ptys_equal, 0, "Label pty devices as lomac/equal on create");
121 TUNABLE_INT("security.mac.lomac.ptys_equal", &ptys_equal);
123 static int revocation_enabled = 1;
124 SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RW,
125 &revocation_enabled, 0, "Revoke access to objects on relabel");
126 TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled);
128 static int mac_lomac_slot;
129 #define SLOT(l) ((struct mac_lomac *)LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
130 #define SLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr = (val))
131 #define PSLOT(l) ((struct mac_lomac_proc *) \
132 LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
133 #define PSLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr = (val))
135 MALLOC_DEFINE(M_MACLOMAC, "mac_lomac_label", "MAC/LOMAC labels");
137 static struct mac_lomac *
138 lomac_alloc(int flag)
140 struct mac_lomac *mac_lomac;
142 mac_lomac = malloc(sizeof(struct mac_lomac), M_MACLOMAC, M_ZERO | flag);
148 lomac_free(struct mac_lomac *mac_lomac)
151 if (mac_lomac != NULL)
152 free(mac_lomac, M_MACLOMAC);
154 atomic_add_int(&destroyed_not_inited, 1);
158 lomac_atmostflags(struct mac_lomac *mac_lomac, int flags)
161 if ((mac_lomac->ml_flags & flags) != mac_lomac->ml_flags)
167 mac_lomac_dominate_element(struct mac_lomac_element *a,
168 struct mac_lomac_element *b)
171 switch (a->mle_type) {
172 case MAC_LOMAC_TYPE_EQUAL:
173 case MAC_LOMAC_TYPE_HIGH:
176 case MAC_LOMAC_TYPE_LOW:
177 switch (b->mle_type) {
178 case MAC_LOMAC_TYPE_GRADE:
179 case MAC_LOMAC_TYPE_HIGH:
182 case MAC_LOMAC_TYPE_EQUAL:
183 case MAC_LOMAC_TYPE_LOW:
187 panic("mac_lomac_dominate_element: b->mle_type invalid");
190 case MAC_LOMAC_TYPE_GRADE:
191 switch (b->mle_type) {
192 case MAC_LOMAC_TYPE_EQUAL:
193 case MAC_LOMAC_TYPE_LOW:
196 case MAC_LOMAC_TYPE_HIGH:
199 case MAC_LOMAC_TYPE_GRADE:
200 return (a->mle_grade >= b->mle_grade);
203 panic("mac_lomac_dominate_element: b->mle_type invalid");
207 panic("mac_lomac_dominate_element: a->mle_type invalid");
212 mac_lomac_range_in_range(struct mac_lomac *rangea, struct mac_lomac *rangeb)
215 return (mac_lomac_dominate_element(&rangeb->ml_rangehigh,
216 &rangea->ml_rangehigh) &&
217 mac_lomac_dominate_element(&rangea->ml_rangelow,
218 &rangeb->ml_rangelow));
222 mac_lomac_single_in_range(struct mac_lomac *single, struct mac_lomac *range)
225 KASSERT((single->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
226 ("mac_lomac_single_in_range: a not single"));
227 KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
228 ("mac_lomac_single_in_range: b not range"));
230 return (mac_lomac_dominate_element(&range->ml_rangehigh,
231 &single->ml_single) &&
232 mac_lomac_dominate_element(&single->ml_single,
233 &range->ml_rangelow));
237 mac_lomac_auxsingle_in_range(struct mac_lomac *single, struct mac_lomac *range)
240 KASSERT((single->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
241 ("mac_lomac_single_in_range: a not auxsingle"));
242 KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
243 ("mac_lomac_single_in_range: b not range"));
245 return (mac_lomac_dominate_element(&range->ml_rangehigh,
246 &single->ml_auxsingle) &&
247 mac_lomac_dominate_element(&single->ml_auxsingle,
248 &range->ml_rangelow));
252 mac_lomac_dominate_single(struct mac_lomac *a, struct mac_lomac *b)
254 KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
255 ("mac_lomac_dominate_single: a not single"));
256 KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
257 ("mac_lomac_dominate_single: b not single"));
259 return (mac_lomac_dominate_element(&a->ml_single, &b->ml_single));
263 mac_lomac_subject_dominate(struct mac_lomac *a, struct mac_lomac *b)
265 KASSERT((~a->ml_flags &
266 (MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_RANGE)) == 0,
267 ("mac_lomac_dominate_single: a not subject"));
268 KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
269 ("mac_lomac_dominate_single: b not single"));
271 return (mac_lomac_dominate_element(&a->ml_rangehigh,
276 mac_lomac_equal_element(struct mac_lomac_element *a, struct mac_lomac_element *b)
279 if (a->mle_type == MAC_LOMAC_TYPE_EQUAL ||
280 b->mle_type == MAC_LOMAC_TYPE_EQUAL)
283 return (a->mle_type == b->mle_type && a->mle_grade == b->mle_grade);
287 mac_lomac_equal_single(struct mac_lomac *a, struct mac_lomac *b)
290 KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
291 ("mac_lomac_equal_single: a not single"));
292 KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
293 ("mac_lomac_equal_single: b not single"));
295 return (mac_lomac_equal_element(&a->ml_single, &b->ml_single));
299 mac_lomac_contains_equal(struct mac_lomac *mac_lomac)
302 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE)
303 if (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
305 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX)
306 if (mac_lomac->ml_auxsingle.mle_type == MAC_LOMAC_TYPE_EQUAL)
309 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
310 if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL)
312 if (mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
320 mac_lomac_subject_privileged(struct mac_lomac *mac_lomac)
323 KASSERT((mac_lomac->ml_flags & MAC_LOMAC_FLAGS_BOTH) ==
324 MAC_LOMAC_FLAGS_BOTH,
325 ("mac_lomac_subject_privileged: subject doesn't have both labels"));
327 /* If the single is EQUAL, it's ok. */
328 if (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
331 /* If either range endpoint is EQUAL, it's ok. */
332 if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL ||
333 mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
336 /* If the range is low-high, it's ok. */
337 if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_LOW &&
338 mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_HIGH)
346 mac_lomac_high_single(struct mac_lomac *mac_lomac)
349 KASSERT((mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
350 ("mac_lomac_high_single: mac_lomac not single"));
352 return (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_HIGH);
356 mac_lomac_valid(struct mac_lomac *mac_lomac)
359 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
360 switch (mac_lomac->ml_single.mle_type) {
361 case MAC_LOMAC_TYPE_GRADE:
362 case MAC_LOMAC_TYPE_EQUAL:
363 case MAC_LOMAC_TYPE_HIGH:
364 case MAC_LOMAC_TYPE_LOW:
371 if (mac_lomac->ml_single.mle_type != MAC_LOMAC_TYPE_UNDEF)
375 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
376 switch (mac_lomac->ml_auxsingle.mle_type) {
377 case MAC_LOMAC_TYPE_GRADE:
378 case MAC_LOMAC_TYPE_EQUAL:
379 case MAC_LOMAC_TYPE_HIGH:
380 case MAC_LOMAC_TYPE_LOW:
387 if (mac_lomac->ml_auxsingle.mle_type != MAC_LOMAC_TYPE_UNDEF)
391 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
392 switch (mac_lomac->ml_rangelow.mle_type) {
393 case MAC_LOMAC_TYPE_GRADE:
394 case MAC_LOMAC_TYPE_EQUAL:
395 case MAC_LOMAC_TYPE_HIGH:
396 case MAC_LOMAC_TYPE_LOW:
403 switch (mac_lomac->ml_rangehigh.mle_type) {
404 case MAC_LOMAC_TYPE_GRADE:
405 case MAC_LOMAC_TYPE_EQUAL:
406 case MAC_LOMAC_TYPE_HIGH:
407 case MAC_LOMAC_TYPE_LOW:
413 if (!mac_lomac_dominate_element(&mac_lomac->ml_rangehigh,
414 &mac_lomac->ml_rangelow))
417 if (mac_lomac->ml_rangelow.mle_type != MAC_LOMAC_TYPE_UNDEF ||
418 mac_lomac->ml_rangehigh.mle_type != MAC_LOMAC_TYPE_UNDEF)
426 mac_lomac_set_range(struct mac_lomac *mac_lomac, u_short typelow,
427 u_short gradelow, u_short typehigh, u_short gradehigh)
430 mac_lomac->ml_rangelow.mle_type = typelow;
431 mac_lomac->ml_rangelow.mle_grade = gradelow;
432 mac_lomac->ml_rangehigh.mle_type = typehigh;
433 mac_lomac->ml_rangehigh.mle_grade = gradehigh;
434 mac_lomac->ml_flags |= MAC_LOMAC_FLAG_RANGE;
438 mac_lomac_set_single(struct mac_lomac *mac_lomac, u_short type, u_short grade)
441 mac_lomac->ml_single.mle_type = type;
442 mac_lomac->ml_single.mle_grade = grade;
443 mac_lomac->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
447 mac_lomac_copy_range(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
450 KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
451 ("mac_lomac_copy_range: labelfrom not range"));
453 labelto->ml_rangelow = labelfrom->ml_rangelow;
454 labelto->ml_rangehigh = labelfrom->ml_rangehigh;
455 labelto->ml_flags |= MAC_LOMAC_FLAG_RANGE;
459 mac_lomac_copy_single(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
462 KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
463 ("mac_lomac_copy_single: labelfrom not single"));
465 labelto->ml_single = labelfrom->ml_single;
466 labelto->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
470 mac_lomac_copy_auxsingle(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
473 KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
474 ("mac_lomac_copy_auxsingle: labelfrom not auxsingle"));
476 labelto->ml_auxsingle = labelfrom->ml_auxsingle;
477 labelto->ml_flags |= MAC_LOMAC_FLAG_AUX;
481 mac_lomac_copy(struct mac_lomac *source, struct mac_lomac *dest)
484 if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
485 mac_lomac_copy_single(source, dest);
486 if (source->ml_flags & MAC_LOMAC_FLAG_AUX)
487 mac_lomac_copy_auxsingle(source, dest);
488 if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
489 mac_lomac_copy_range(source, dest);
492 static int mac_lomac_to_string(struct sbuf *sb,
493 struct mac_lomac *mac_lomac);
496 maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
497 const char *actionname, const char *objname, struct vnode *vpq)
499 struct sbuf subjlabel_sb, subjtext_sb, objlabel_sb;
500 char *subjlabeltext, *objlabeltext, *subjtext;
501 struct mac_lomac cached_subjlabel;
502 struct mac_lomac_proc *subj;
507 subj = PSLOT(curthread->td_proc->p_label);
509 p = curthread->td_proc;
510 mtx_lock(&subj->mtx);
511 if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
513 * Check to see if the pending demotion would be more or
514 * less severe than this one, and keep the more severe.
515 * This can only happen for a multi-threaded application.
517 if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac)) {
518 mtx_unlock(&subj->mtx);
522 bzero(&subj->mac_lomac, sizeof(subj->mac_lomac));
524 * Always demote the single label.
526 mac_lomac_copy_single(objlabel, &subj->mac_lomac);
528 * Start with the original range, then minimize each side of
529 * the range to the point of not dominating the object. The
530 * high side will always be demoted, of course.
532 mac_lomac_copy_range(subjlabel, &subj->mac_lomac);
533 if (!mac_lomac_dominate_element(&objlabel->ml_single,
534 &subj->mac_lomac.ml_rangelow))
535 subj->mac_lomac.ml_rangelow = objlabel->ml_single;
536 subj->mac_lomac.ml_rangehigh = objlabel->ml_single;
537 subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
538 mtx_lock_spin(&sched_lock);
539 curthread->td_flags |= TDF_ASTPENDING;
540 curthread->td_proc->p_sflag |= PS_MACPEND;
541 mtx_unlock_spin(&sched_lock);
544 * Avoid memory allocation while holding a mutex; cache the
547 mac_lomac_copy_single(&subj->mac_lomac, &cached_subjlabel);
548 mtx_unlock(&subj->mtx);
550 sbuf_new(&subjlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
551 mac_lomac_to_string(&subjlabel_sb, subjlabel);
552 sbuf_finish(&subjlabel_sb);
553 subjlabeltext = sbuf_data(&subjlabel_sb);
555 sbuf_new(&subjtext_sb, NULL, 0, SBUF_AUTOEXTEND);
556 mac_lomac_to_string(&subjtext_sb, &subj->mac_lomac);
557 sbuf_finish(&subjtext_sb);
558 subjtext = sbuf_data(&subjtext_sb);
560 sbuf_new(&objlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
561 mac_lomac_to_string(&objlabel_sb, objlabel);
562 sbuf_finish(&objlabel_sb);
563 objlabeltext = sbuf_data(&objlabel_sb);
565 pgid = p->p_pgrp->pg_id; /* XXX could be stale? */
566 if (vpq != NULL && VOP_GETATTR(vpq, &va, curthread->td_ucred,
568 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
569 " level %s after %s a level-%s %s (inode=%ld, "
571 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
572 p->p_comm, subjtext, actionname, objlabeltext, objname,
573 va.va_fileid, vpq->v_mount->mnt_stat.f_mntonname);
575 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
576 " level %s after %s a level-%s %s\n",
577 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
578 p->p_comm, subjtext, actionname, objlabeltext, objname);
581 sbuf_delete(&subjlabel_sb);
582 sbuf_delete(&subjtext_sb);
583 sbuf_delete(&objlabel_sb);
589 * Relabel "to" to "from" only if "from" is a valid label (contains
590 * at least a single), as for a relabel operation which may or may
591 * not involve a relevant label.
594 try_relabel(struct mac_lomac *from, struct mac_lomac *to)
597 if (from->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
598 bzero(to, sizeof(*to));
599 mac_lomac_copy(from, to);
604 * Policy module operations.
607 mac_lomac_init(struct mac_policy_conf *conf)
616 mac_lomac_init_label(struct label *label)
619 SLOT_SET(label, lomac_alloc(M_WAITOK));
623 mac_lomac_init_label_waitcheck(struct label *label, int flag)
626 SLOT_SET(label, lomac_alloc(flag));
627 if (SLOT(label) == NULL)
634 mac_lomac_init_proc_label(struct label *label)
637 PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC,
639 mtx_init(&PSLOT(label)->mtx, "MAC/Lomac proc lock", NULL, MTX_DEF);
643 mac_lomac_destroy_label(struct label *label)
646 lomac_free(SLOT(label));
647 SLOT_SET(label, NULL);
651 mac_lomac_destroy_proc_label(struct label *label)
654 mtx_destroy(&PSLOT(label)->mtx);
655 FREE(PSLOT(label), M_MACLOMAC);
656 PSLOT_SET(label, NULL);
660 mac_lomac_element_to_string(struct sbuf *sb, struct mac_lomac_element *element)
663 switch (element->mle_type) {
664 case MAC_LOMAC_TYPE_HIGH:
665 return (sbuf_printf(sb, "high"));
667 case MAC_LOMAC_TYPE_LOW:
668 return (sbuf_printf(sb, "low"));
670 case MAC_LOMAC_TYPE_EQUAL:
671 return (sbuf_printf(sb, "equal"));
673 case MAC_LOMAC_TYPE_GRADE:
674 return (sbuf_printf(sb, "%d", element->mle_grade));
677 panic("mac_lomac_element_to_string: invalid type (%d)",
683 mac_lomac_to_string(struct sbuf *sb, struct mac_lomac *mac_lomac)
686 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
687 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_single)
692 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
693 if (sbuf_putc(sb, '[') == -1)
696 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_auxsingle)
700 if (sbuf_putc(sb, ']') == -1)
704 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
705 if (sbuf_putc(sb, '(') == -1)
708 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangelow)
712 if (sbuf_putc(sb, '-') == -1)
715 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangehigh)
719 if (sbuf_putc(sb, ')') == -1)
727 mac_lomac_externalize_label(struct label *label, char *element_name,
728 struct sbuf *sb, int *claimed)
730 struct mac_lomac *mac_lomac;
732 if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
737 mac_lomac = SLOT(label);
739 return (mac_lomac_to_string(sb, mac_lomac));
743 mac_lomac_parse_element(struct mac_lomac_element *element, char *string)
746 if (strcmp(string, "high") == 0 ||
747 strcmp(string, "hi") == 0) {
748 element->mle_type = MAC_LOMAC_TYPE_HIGH;
749 element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
750 } else if (strcmp(string, "low") == 0 ||
751 strcmp(string, "lo") == 0) {
752 element->mle_type = MAC_LOMAC_TYPE_LOW;
753 element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
754 } else if (strcmp(string, "equal") == 0 ||
755 strcmp(string, "eq") == 0) {
756 element->mle_type = MAC_LOMAC_TYPE_EQUAL;
757 element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
763 d = strtol(p0, &p1, 10);
765 if (d < 0 || d > 65535)
767 element->mle_type = MAC_LOMAC_TYPE_GRADE;
768 element->mle_grade = d;
770 if (p1 == p0 || *p1 != '\0')
778 * Note: destructively consumes the string, make a local copy before
779 * calling if that's a problem.
782 mac_lomac_parse(struct mac_lomac *mac_lomac, char *string)
784 char *range, *rangeend, *rangehigh, *rangelow, *single, *auxsingle,
788 /* Do we have a range? */
790 range = index(string, '(');
793 auxsingle = index(string, '[');
794 if (auxsingle == single)
796 if (range != NULL && auxsingle != NULL)
798 rangelow = rangehigh = NULL;
800 /* Nul terminate the end of the single string. */
804 rangehigh = index(rangelow, '-');
805 if (rangehigh == NULL)
808 if (*rangelow == '\0' || *rangehigh == '\0')
810 rangeend = index(rangehigh, ')');
811 if (rangeend == NULL)
813 if (*(rangeend + 1) != '\0')
815 /* Nul terminate the ends of the ranges. */
816 *(rangehigh - 1) = '\0';
819 KASSERT((rangelow != NULL && rangehigh != NULL) ||
820 (rangelow == NULL && rangehigh == NULL),
821 ("mac_lomac_internalize_label: range mismatch"));
822 if (auxsingle != NULL) {
823 /* Nul terminate the end of the single string. */
826 auxsingleend = index(auxsingle, ']');
827 if (auxsingleend == NULL)
829 if (*(auxsingleend + 1) != '\0')
831 /* Nul terminate the end of the auxsingle. */
832 *auxsingleend = '\0';
835 bzero(mac_lomac, sizeof(*mac_lomac));
836 if (single != NULL) {
837 error = mac_lomac_parse_element(&mac_lomac->ml_single, single);
840 mac_lomac->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
843 if (auxsingle != NULL) {
844 error = mac_lomac_parse_element(&mac_lomac->ml_auxsingle,
848 mac_lomac->ml_flags |= MAC_LOMAC_FLAG_AUX;
851 if (rangelow != NULL) {
852 error = mac_lomac_parse_element(&mac_lomac->ml_rangelow,
856 error = mac_lomac_parse_element(&mac_lomac->ml_rangehigh,
860 mac_lomac->ml_flags |= MAC_LOMAC_FLAG_RANGE;
863 error = mac_lomac_valid(mac_lomac);
871 mac_lomac_internalize_label(struct label *label, char *element_name,
872 char *element_data, int *claimed)
874 struct mac_lomac *mac_lomac, mac_lomac_temp;
877 if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
882 error = mac_lomac_parse(&mac_lomac_temp, element_data);
886 mac_lomac = SLOT(label);
887 *mac_lomac = mac_lomac_temp;
893 mac_lomac_copy_label(struct label *src, struct label *dest)
896 *SLOT(dest) = *SLOT(src);
900 * Labeling event operations: file system objects, and things that look
901 * a lot like file system objects.
904 mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
905 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
907 struct mac_lomac *mac_lomac;
910 mac_lomac = SLOT(label);
911 if (strcmp(dev->si_name, "null") == 0 ||
912 strcmp(dev->si_name, "zero") == 0 ||
913 strcmp(dev->si_name, "random") == 0 ||
914 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0 ||
915 strncmp(dev->si_name, "ttyv", strlen("ttyv")) == 0)
916 lomac_type = MAC_LOMAC_TYPE_EQUAL;
917 else if (ptys_equal &&
918 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
919 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
920 lomac_type = MAC_LOMAC_TYPE_EQUAL;
922 lomac_type = MAC_LOMAC_TYPE_HIGH;
923 mac_lomac_set_single(mac_lomac, lomac_type, 0);
927 mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
928 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
930 struct mac_lomac *mac_lomac;
932 mac_lomac = SLOT(label);
933 mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0);
937 mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
938 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
939 struct label *delabel)
941 struct mac_lomac *source, *dest;
943 source = SLOT(cred->cr_label);
944 dest = SLOT(delabel);
946 mac_lomac_copy_single(source, dest);
950 mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
951 struct label *mntlabel, struct label *fslabel)
953 struct mac_lomac *source, *dest;
955 source = SLOT(cred->cr_label);
956 dest = SLOT(mntlabel);
957 mac_lomac_copy_single(source, dest);
958 dest = SLOT(fslabel);
959 mac_lomac_copy_single(source, dest);
963 mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
964 struct label *vnodelabel, struct label *label)
966 struct mac_lomac *source, *dest;
968 source = SLOT(label);
969 dest = SLOT(vnodelabel);
971 try_relabel(source, dest);
975 mac_lomac_update_devfsdirent(struct mount *mp,
976 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
977 struct vnode *vp, struct label *vnodelabel)
979 struct mac_lomac *source, *dest;
981 source = SLOT(vnodelabel);
982 dest = SLOT(direntlabel);
984 mac_lomac_copy(source, dest);
988 mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
989 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
990 struct label *vlabel)
992 struct mac_lomac *source, *dest;
994 source = SLOT(delabel);
997 mac_lomac_copy_single(source, dest);
1001 mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
1002 struct vnode *vp, struct label *vlabel)
1004 struct mac_lomac temp, *source, *dest;
1007 source = SLOT(fslabel);
1008 dest = SLOT(vlabel);
1010 buflen = sizeof(temp);
1011 bzero(&temp, buflen);
1013 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
1014 MAC_LOMAC_EXTATTR_NAME, &buflen, (char *)&temp, curthread);
1015 if (error == ENOATTR || error == EOPNOTSUPP) {
1016 /* Fall back to the fslabel. */
1017 mac_lomac_copy_single(source, dest);
1022 if (buflen != sizeof(temp)) {
1023 if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) {
1024 printf("mac_lomac_associate_vnode_extattr: bad size %d\n",
1028 bzero(&temp.ml_auxsingle, sizeof(temp.ml_auxsingle));
1029 buflen = sizeof(temp);
1030 (void)vn_extattr_set(vp, IO_NODELOCKED,
1031 MAC_LOMAC_EXTATTR_NAMESPACE, MAC_LOMAC_EXTATTR_NAME,
1032 buflen, (char *)&temp, curthread);
1034 if (mac_lomac_valid(&temp) != 0) {
1035 printf("mac_lomac_associate_vnode_extattr: invalid\n");
1038 if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) {
1039 printf("mac_lomac_associate_vnode_extattr: not single\n");
1043 mac_lomac_copy_single(&temp, dest);
1048 mac_lomac_associate_vnode_singlelabel(struct mount *mp,
1049 struct label *fslabel, struct vnode *vp, struct label *vlabel)
1051 struct mac_lomac *source, *dest;
1053 source = SLOT(fslabel);
1054 dest = SLOT(vlabel);
1056 mac_lomac_copy_single(source, dest);
1060 mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
1061 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
1062 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
1064 struct mac_lomac *source, *dest, *dir, temp;
1068 buflen = sizeof(temp);
1069 bzero(&temp, buflen);
1071 source = SLOT(cred->cr_label);
1072 dest = SLOT(vlabel);
1074 if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) {
1075 mac_lomac_copy_auxsingle(dir, &temp);
1076 mac_lomac_set_single(&temp, dir->ml_auxsingle.mle_type,
1077 dir->ml_auxsingle.mle_grade);
1079 mac_lomac_copy_single(source, &temp);
1082 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
1083 MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
1085 mac_lomac_copy(&temp, dest);
1090 mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
1091 struct label *vlabel, struct label *intlabel)
1093 struct mac_lomac *source, temp;
1097 buflen = sizeof(temp);
1098 bzero(&temp, buflen);
1100 source = SLOT(intlabel);
1101 if ((source->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
1104 mac_lomac_copy_single(source, &temp);
1105 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
1106 MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
1111 * Labeling event operations: IPC object.
1114 mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1115 struct inpcb *inp, struct label *inplabel)
1117 struct mac_lomac *source, *dest;
1119 source = SLOT(solabel);
1120 dest = SLOT(inplabel);
1122 mac_lomac_copy_single(source, dest);
1126 mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
1127 struct mbuf *m, struct label *mbuflabel)
1129 struct mac_lomac *source, *dest;
1131 source = SLOT(socketlabel);
1132 dest = SLOT(mbuflabel);
1134 mac_lomac_copy_single(source, dest);
1138 mac_lomac_create_socket(struct ucred *cred, struct socket *socket,
1139 struct label *socketlabel)
1141 struct mac_lomac *source, *dest;
1143 source = SLOT(cred->cr_label);
1144 dest = SLOT(socketlabel);
1146 mac_lomac_copy_single(source, dest);
1150 mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
1151 struct label *pipelabel)
1153 struct mac_lomac *source, *dest;
1155 source = SLOT(cred->cr_label);
1156 dest = SLOT(pipelabel);
1158 mac_lomac_copy_single(source, dest);
1162 mac_lomac_create_socket_from_socket(struct socket *oldsocket,
1163 struct label *oldsocketlabel, struct socket *newsocket,
1164 struct label *newsocketlabel)
1166 struct mac_lomac *source, *dest;
1168 source = SLOT(oldsocketlabel);
1169 dest = SLOT(newsocketlabel);
1171 mac_lomac_copy_single(source, dest);
1175 mac_lomac_relabel_socket(struct ucred *cred, struct socket *socket,
1176 struct label *socketlabel, struct label *newlabel)
1178 struct mac_lomac *source, *dest;
1180 source = SLOT(newlabel);
1181 dest = SLOT(socketlabel);
1183 try_relabel(source, dest);
1187 mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1188 struct label *pipelabel, struct label *newlabel)
1190 struct mac_lomac *source, *dest;
1192 source = SLOT(newlabel);
1193 dest = SLOT(pipelabel);
1195 try_relabel(source, dest);
1199 mac_lomac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1200 struct socket *socket, struct label *socketpeerlabel)
1202 struct mac_lomac *source, *dest;
1204 source = SLOT(mbuflabel);
1205 dest = SLOT(socketpeerlabel);
1207 mac_lomac_copy_single(source, dest);
1211 * Labeling event operations: network objects.
1214 mac_lomac_set_socket_peer_from_socket(struct socket *oldsocket,
1215 struct label *oldsocketlabel, struct socket *newsocket,
1216 struct label *newsocketpeerlabel)
1218 struct mac_lomac *source, *dest;
1220 source = SLOT(oldsocketlabel);
1221 dest = SLOT(newsocketpeerlabel);
1223 mac_lomac_copy_single(source, dest);
1227 mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1228 struct label *bpflabel)
1230 struct mac_lomac *source, *dest;
1232 source = SLOT(cred->cr_label);
1233 dest = SLOT(bpflabel);
1235 mac_lomac_copy_single(source, dest);
1239 mac_lomac_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1241 char tifname[IFNAMSIZ], *p, *q;
1242 char tiflist[sizeof(trusted_interfaces)];
1243 struct mac_lomac *dest;
1246 dest = SLOT(ifnetlabel);
1248 if (ifnet->if_type == IFT_LOOP) {
1249 grade = MAC_LOMAC_TYPE_EQUAL;
1253 if (trust_all_interfaces) {
1254 grade = MAC_LOMAC_TYPE_HIGH;
1258 grade = MAC_LOMAC_TYPE_LOW;
1260 if (trusted_interfaces[0] == '\0' ||
1261 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
1264 bzero(tiflist, sizeof(tiflist));
1265 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
1266 if(*p != ' ' && *p != '\t')
1269 for (p = q = tiflist;; p++) {
1270 if (*p == ',' || *p == '\0') {
1272 if (len < IFNAMSIZ) {
1273 bzero(tifname, sizeof(tifname));
1274 bcopy(q, tifname, len);
1275 if (strcmp(tifname, ifnet->if_xname) == 0) {
1276 grade = MAC_LOMAC_TYPE_HIGH;
1282 printf("MAC/LOMAC warning: interface name "
1283 "\"%s\" is too long (must be < %d)\n",
1292 mac_lomac_set_single(dest, grade, 0);
1293 mac_lomac_set_range(dest, grade, 0, grade, 0);
1297 mac_lomac_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1298 struct ipq *ipq, struct label *ipqlabel)
1300 struct mac_lomac *source, *dest;
1302 source = SLOT(fragmentlabel);
1303 dest = SLOT(ipqlabel);
1305 mac_lomac_copy_single(source, dest);
1309 mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1310 struct mbuf *datagram, struct label *datagramlabel)
1312 struct mac_lomac *source, *dest;
1314 source = SLOT(ipqlabel);
1315 dest = SLOT(datagramlabel);
1317 /* Just use the head, since we require them all to match. */
1318 mac_lomac_copy_single(source, dest);
1322 mac_lomac_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1323 struct mbuf *fragment, struct label *fragmentlabel)
1325 struct mac_lomac *source, *dest;
1327 source = SLOT(datagramlabel);
1328 dest = SLOT(fragmentlabel);
1330 mac_lomac_copy_single(source, dest);
1334 mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1335 struct mbuf *m, struct label *mlabel)
1337 struct mac_lomac *source, *dest;
1339 source = SLOT(inplabel);
1340 dest = SLOT(mlabel);
1342 mac_lomac_copy_single(source, dest);
1346 mac_lomac_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1347 struct mbuf *mbuf, struct label *mbuflabel)
1349 struct mac_lomac *dest;
1351 dest = SLOT(mbuflabel);
1353 mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
1357 mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1358 struct mbuf *mbuf, struct label *mbuflabel)
1360 struct mac_lomac *source, *dest;
1362 source = SLOT(bpflabel);
1363 dest = SLOT(mbuflabel);
1365 mac_lomac_copy_single(source, dest);
1369 mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1370 struct mbuf *m, struct label *mbuflabel)
1372 struct mac_lomac *source, *dest;
1374 source = SLOT(ifnetlabel);
1375 dest = SLOT(mbuflabel);
1377 mac_lomac_copy_single(source, dest);
1381 mac_lomac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1382 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1383 struct mbuf *newmbuf, struct label *newmbuflabel)
1385 struct mac_lomac *source, *dest;
1387 source = SLOT(oldmbuflabel);
1388 dest = SLOT(newmbuflabel);
1390 mac_lomac_copy_single(source, dest);
1394 mac_lomac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
1395 struct mbuf *newmbuf, struct label *newmbuflabel)
1397 struct mac_lomac *source, *dest;
1399 source = SLOT(oldmbuflabel);
1400 dest = SLOT(newmbuflabel);
1402 mac_lomac_copy_single(source, dest);
1406 mac_lomac_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1407 struct ipq *ipq, struct label *ipqlabel)
1409 struct mac_lomac *a, *b;
1412 b = SLOT(fragmentlabel);
1414 return (mac_lomac_equal_single(a, b));
1418 mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1419 struct label *ifnetlabel, struct label *newlabel)
1421 struct mac_lomac *source, *dest;
1423 source = SLOT(newlabel);
1424 dest = SLOT(ifnetlabel);
1426 try_relabel(source, dest);
1430 mac_lomac_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1431 struct ipq *ipq, struct label *ipqlabel)
1434 /* NOOP: we only accept matching labels, so no need to update */
1438 mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1439 struct inpcb *inp, struct label *inplabel)
1441 struct mac_lomac *source, *dest;
1443 source = SLOT(solabel);
1444 dest = SLOT(inplabel);
1446 mac_lomac_copy_single(source, dest);
1450 * Labeling event operations: processes.
1453 mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
1454 struct vnode *vp, struct label *vnodelabel,
1455 struct label *interpvnodelabel, struct image_params *imgp,
1456 struct label *execlabel)
1458 struct mac_lomac *source, *dest, *obj, *robj;
1460 source = SLOT(old->cr_label);
1461 dest = SLOT(new->cr_label);
1462 obj = SLOT(vnodelabel);
1463 robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
1465 mac_lomac_copy(source, dest);
1467 * If there's an auxiliary label on the real object, respect it
1468 * and assume that this level should be assumed immediately if
1469 * a higher level is currently in place.
1471 if (robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
1472 !mac_lomac_dominate_element(&robj->ml_auxsingle, &dest->ml_single)
1473 && mac_lomac_auxsingle_in_range(robj, dest))
1474 mac_lomac_set_single(dest, robj->ml_auxsingle.mle_type,
1475 robj->ml_auxsingle.mle_grade);
1477 * Restructuring to use the execve transitioning mechanism
1478 * instead of the normal demotion mechanism here would be
1479 * difficult, so just copy the label over and perform standard
1480 * demotion. This is also non-optimal because it will result
1481 * in the intermediate label "new" being created and immediately
1484 if (mac_lomac_enabled && revocation_enabled &&
1485 !mac_lomac_dominate_single(obj, source))
1486 (void)maybe_demote(source, obj, "executing", "file", vp);
1490 mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
1491 struct label *vnodelabel, struct label *interpvnodelabel,
1492 struct image_params *imgp, struct label *execlabel)
1494 struct mac_lomac *subj, *obj, *robj;
1496 if (!mac_lomac_enabled || !revocation_enabled)
1499 subj = SLOT(old->cr_label);
1500 obj = SLOT(vnodelabel);
1501 robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
1503 return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
1504 !mac_lomac_dominate_element(&robj->ml_auxsingle, &subj->ml_single)
1505 && mac_lomac_auxsingle_in_range(robj, subj)) ||
1506 !mac_lomac_dominate_single(obj, subj));
1510 mac_lomac_create_proc0(struct ucred *cred)
1512 struct mac_lomac *dest;
1514 dest = SLOT(cred->cr_label);
1516 mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
1517 mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH,
1522 mac_lomac_create_proc1(struct ucred *cred)
1524 struct mac_lomac *dest;
1526 dest = SLOT(cred->cr_label);
1528 mac_lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
1529 mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH,
1534 mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
1536 struct mac_lomac *source, *dest;
1538 source = SLOT(newlabel);
1539 dest = SLOT(cred->cr_label);
1541 try_relabel(source, dest);
1545 * Access control checks.
1548 mac_lomac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1549 struct ifnet *ifnet, struct label *ifnetlabel)
1551 struct mac_lomac *a, *b;
1553 if (!mac_lomac_enabled)
1557 b = SLOT(ifnetlabel);
1559 if (mac_lomac_equal_single(a, b))
1565 mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1567 struct mac_lomac *subj, *new;
1570 subj = SLOT(cred->cr_label);
1571 new = SLOT(newlabel);
1574 * If there is a LOMAC label update for the credential, it may
1575 * be an update of the single, range, or both.
1577 error = lomac_atmostflags(new, MAC_LOMAC_FLAGS_BOTH);
1582 * If the LOMAC label is to be changed, authorize as appropriate.
1584 if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
1586 * Fill in the missing parts from the previous label.
1588 if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
1589 mac_lomac_copy_single(subj, new);
1590 if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
1591 mac_lomac_copy_range(subj, new);
1594 * To change the LOMAC range on a credential, the new
1595 * range label must be in the current range.
1597 if (!mac_lomac_range_in_range(new, subj))
1601 * To change the LOMAC single label on a credential, the
1602 * new single label must be in the new range. Implicitly
1603 * from the previous check, the new single is in the old
1606 if (!mac_lomac_single_in_range(new, new))
1610 * To have EQUAL in any component of the new credential
1611 * LOMAC label, the subject must already have EQUAL in
1614 if (mac_lomac_contains_equal(new)) {
1615 error = mac_lomac_subject_privileged(subj);
1621 * XXXMAC: Additional consistency tests regarding the
1622 * single and range of the new label might be performed
1631 mac_lomac_check_cred_visible(struct ucred *u1, struct ucred *u2)
1633 struct mac_lomac *subj, *obj;
1635 if (!mac_lomac_enabled)
1638 subj = SLOT(u1->cr_label);
1639 obj = SLOT(u2->cr_label);
1642 if (!mac_lomac_dominate_single(obj, subj))
1649 mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1650 struct label *ifnetlabel, struct label *newlabel)
1652 struct mac_lomac *subj, *new;
1655 subj = SLOT(cred->cr_label);
1656 new = SLOT(newlabel);
1659 * If there is a LOMAC label update for the interface, it may
1660 * be an update of the single, range, or both.
1662 error = lomac_atmostflags(new, MAC_LOMAC_FLAGS_BOTH);
1667 * Relabling network interfaces requires LOMAC privilege.
1669 error = mac_lomac_subject_privileged(subj);
1674 * If the LOMAC label is to be changed, authorize as appropriate.
1676 if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
1678 * Fill in the missing parts from the previous label.
1680 if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
1681 mac_lomac_copy_single(subj, new);
1682 if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
1683 mac_lomac_copy_range(subj, new);
1686 * Rely on the traditional superuser status for the LOMAC
1687 * interface relabel requirements. XXXMAC: This will go
1690 error = suser_cred(cred, 0);
1695 * XXXMAC: Additional consistency tests regarding the single
1696 * and the range of the new label might be performed here.
1704 mac_lomac_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1705 struct mbuf *m, struct label *mbuflabel)
1707 struct mac_lomac *p, *i;
1709 if (!mac_lomac_enabled)
1712 p = SLOT(mbuflabel);
1713 i = SLOT(ifnetlabel);
1715 return (mac_lomac_single_in_range(p, i) ? 0 : EACCES);
1719 mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1720 struct mbuf *m, struct label *mlabel)
1722 struct mac_lomac *p, *i;
1724 if (!mac_lomac_enabled)
1730 return (mac_lomac_equal_single(p, i) ? 0 : EACCES);
1734 mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
1735 struct label *label)
1737 struct mac_lomac *subj, *obj;
1739 if (!mac_lomac_enabled)
1742 subj = SLOT(cred->cr_label);
1745 if (mac_lomac_subject_privileged(subj))
1748 if (!mac_lomac_high_single(obj))
1755 mac_lomac_check_kld_unload(struct ucred *cred)
1757 struct mac_lomac *subj;
1759 if (!mac_lomac_enabled)
1762 subj = SLOT(cred->cr_label);
1764 if (mac_lomac_subject_privileged(subj))
1771 mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1772 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1775 if(!mac_lomac_enabled)
1778 /* XXX: This will be implemented soon... */
1784 mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1785 struct label *pipelabel)
1787 struct mac_lomac *subj, *obj;
1789 if (!mac_lomac_enabled)
1792 subj = SLOT(cred->cr_label);
1793 obj = SLOT((pipelabel));
1795 if (!mac_lomac_dominate_single(obj, subj))
1796 return (maybe_demote(subj, obj, "reading", "pipe", NULL));
1802 mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1803 struct label *pipelabel, struct label *newlabel)
1805 struct mac_lomac *subj, *obj, *new;
1808 new = SLOT(newlabel);
1809 subj = SLOT(cred->cr_label);
1810 obj = SLOT(pipelabel);
1813 * If there is a LOMAC label update for a pipe, it must be a
1816 error = lomac_atmostflags(new, MAC_LOMAC_FLAG_SINGLE);
1821 * To perform a relabel of a pipe (LOMAC label or not), LOMAC must
1822 * authorize the relabel.
1824 if (!mac_lomac_single_in_range(obj, subj))
1828 * If the LOMAC label is to be changed, authorize as appropriate.
1830 if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
1832 * To change the LOMAC label on a pipe, the new pipe label
1833 * must be in the subject range.
1835 if (!mac_lomac_single_in_range(new, subj))
1839 * To change the LOMAC label on a pipe to be EQUAL, the
1840 * subject must have appropriate privilege.
1842 if (mac_lomac_contains_equal(new)) {
1843 error = mac_lomac_subject_privileged(subj);
1853 mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1854 struct label *pipelabel)
1856 struct mac_lomac *subj, *obj;
1858 if (!mac_lomac_enabled)
1861 subj = SLOT(cred->cr_label);
1862 obj = SLOT((pipelabel));
1864 if (!mac_lomac_subject_dominate(subj, obj))
1871 mac_lomac_check_proc_debug(struct ucred *cred, struct proc *proc)
1873 struct mac_lomac *subj, *obj;
1875 if (!mac_lomac_enabled)
1878 subj = SLOT(cred->cr_label);
1879 obj = SLOT(proc->p_ucred->cr_label);
1881 /* XXX: range checks */
1882 if (!mac_lomac_dominate_single(obj, subj))
1884 if (!mac_lomac_subject_dominate(subj, obj))
1891 mac_lomac_check_proc_sched(struct ucred *cred, struct proc *proc)
1893 struct mac_lomac *subj, *obj;
1895 if (!mac_lomac_enabled)
1898 subj = SLOT(cred->cr_label);
1899 obj = SLOT(proc->p_ucred->cr_label);
1901 /* XXX: range checks */
1902 if (!mac_lomac_dominate_single(obj, subj))
1904 if (!mac_lomac_subject_dominate(subj, obj))
1911 mac_lomac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1913 struct mac_lomac *subj, *obj;
1915 if (!mac_lomac_enabled)
1918 subj = SLOT(cred->cr_label);
1919 obj = SLOT(proc->p_ucred->cr_label);
1921 /* XXX: range checks */
1922 if (!mac_lomac_dominate_single(obj, subj))
1924 if (!mac_lomac_subject_dominate(subj, obj))
1931 mac_lomac_check_socket_deliver(struct socket *so, struct label *socketlabel,
1932 struct mbuf *m, struct label *mbuflabel)
1934 struct mac_lomac *p, *s;
1936 if (!mac_lomac_enabled)
1939 p = SLOT(mbuflabel);
1940 s = SLOT(socketlabel);
1942 return (mac_lomac_equal_single(p, s) ? 0 : EACCES);
1946 mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *socket,
1947 struct label *socketlabel, struct label *newlabel)
1949 struct mac_lomac *subj, *obj, *new;
1952 new = SLOT(newlabel);
1953 subj = SLOT(cred->cr_label);
1954 obj = SLOT(socketlabel);
1957 * If there is a LOMAC label update for the socket, it may be
1958 * an update of single.
1960 error = lomac_atmostflags(new, MAC_LOMAC_FLAG_SINGLE);
1965 * To relabel a socket, the old socket single must be in the subject
1968 if (!mac_lomac_single_in_range(obj, subj))
1972 * If the LOMAC label is to be changed, authorize as appropriate.
1974 if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
1976 * To relabel a socket, the new socket single must be in
1977 * the subject range.
1979 if (!mac_lomac_single_in_range(new, subj))
1983 * To change the LOMAC label on the socket to contain EQUAL,
1984 * the subject must have appropriate privilege.
1986 if (mac_lomac_contains_equal(new)) {
1987 error = mac_lomac_subject_privileged(subj);
1997 mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket,
1998 struct label *socketlabel)
2000 struct mac_lomac *subj, *obj;
2002 if (!mac_lomac_enabled)
2005 subj = SLOT(cred->cr_label);
2006 obj = SLOT(socketlabel);
2008 if (!mac_lomac_dominate_single(obj, subj))
2015 mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
2016 struct label *label)
2018 struct mac_lomac *subj, *obj;
2020 if (!mac_lomac_enabled)
2023 subj = SLOT(cred->cr_label);
2026 if (mac_lomac_subject_privileged(subj))
2029 if (!mac_lomac_high_single(obj))
2036 mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2037 void *arg1, int arg2, struct sysctl_req *req)
2039 struct mac_lomac *subj;
2041 if (!mac_lomac_enabled)
2044 subj = SLOT(cred->cr_label);
2047 * Treat sysctl variables without CTLFLAG_ANYBODY flag as
2048 * lomac/high, but also require privilege to change them.
2050 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
2052 if (!mac_lomac_subject_dominate_high(subj))
2056 if (mac_lomac_subject_privileged(subj))
2064 mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2065 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2067 struct mac_lomac *subj, *obj;
2069 if (!mac_lomac_enabled)
2072 subj = SLOT(cred->cr_label);
2075 if (!mac_lomac_subject_dominate(subj, obj))
2077 if (obj->ml_flags & MAC_LOMAC_FLAG_AUX &&
2078 !mac_lomac_dominate_element(&subj->ml_single, &obj->ml_auxsingle))
2085 mac_lomac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2086 struct label *dlabel, struct vnode *vp, struct label *label,
2087 struct componentname *cnp)
2089 struct mac_lomac *subj, *obj;
2091 if (!mac_lomac_enabled)
2094 subj = SLOT(cred->cr_label);
2097 if (!mac_lomac_subject_dominate(subj, obj))
2102 if (!mac_lomac_subject_dominate(subj, obj))
2109 mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2110 struct label *label, acl_type_t type)
2112 struct mac_lomac *subj, *obj;
2114 if (!mac_lomac_enabled)
2117 subj = SLOT(cred->cr_label);
2120 if (!mac_lomac_subject_dominate(subj, obj))
2127 mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2128 struct label *dlabel, struct vnode *vp, struct label *label,
2129 struct componentname *cnp)
2131 struct mac_lomac *subj, *obj;
2133 if (!mac_lomac_enabled)
2136 subj = SLOT(cred->cr_label);
2139 if (!mac_lomac_subject_dominate(subj, obj))
2144 if (!mac_lomac_subject_dominate(subj, obj))
2151 mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2152 struct label *label, int prot, int flags)
2154 struct mac_lomac *subj, *obj;
2157 * Rely on the use of open()-time protections to handle
2158 * non-revocation cases.
2160 if (!mac_lomac_enabled)
2163 subj = SLOT(cred->cr_label);
2166 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
2167 if (!mac_lomac_subject_dominate(subj, obj))
2170 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
2171 if (!mac_lomac_dominate_single(obj, subj))
2172 return (maybe_demote(subj, obj, "mapping", "file", vp));
2179 mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
2180 struct label *label, /* XXX vm_prot_t */ int *prot)
2182 struct mac_lomac *subj, *obj;
2185 * Rely on the use of open()-time protections to handle
2186 * non-revocation cases.
2188 if (!mac_lomac_enabled || !revocation_enabled)
2191 subj = SLOT(cred->cr_label);
2194 if (!mac_lomac_subject_dominate(subj, obj))
2195 *prot &= ~VM_PROT_WRITE;
2199 mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
2200 struct label *vnodelabel, int acc_mode)
2202 struct mac_lomac *subj, *obj;
2204 if (!mac_lomac_enabled)
2207 subj = SLOT(cred->cr_label);
2208 obj = SLOT(vnodelabel);
2210 /* XXX privilege override for admin? */
2211 if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
2212 if (!mac_lomac_subject_dominate(subj, obj))
2220 mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2221 struct vnode *vp, struct label *label)
2223 struct mac_lomac *subj, *obj;
2225 if (!mac_lomac_enabled || !revocation_enabled)
2228 subj = SLOT(active_cred->cr_label);
2231 if (!mac_lomac_dominate_single(obj, subj))
2232 return (maybe_demote(subj, obj, "reading", "file", vp));
2238 mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2239 struct label *vnodelabel, struct label *newlabel)
2241 struct mac_lomac *old, *new, *subj;
2244 old = SLOT(vnodelabel);
2245 new = SLOT(newlabel);
2246 subj = SLOT(cred->cr_label);
2249 * If there is a LOMAC label update for the vnode, it must be a
2250 * single label, with an optional explicit auxiliary single.
2252 error = lomac_atmostflags(new,
2253 MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_AUX);
2258 * To perform a relabel of the vnode (LOMAC label or not), LOMAC must
2259 * authorize the relabel.
2261 if (!mac_lomac_single_in_range(old, subj))
2265 * If the LOMAC label is to be changed, authorize as appropriate.
2267 if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
2269 * To change the LOMAC label on a vnode, the new vnode label
2270 * must be in the subject range.
2272 if (!mac_lomac_single_in_range(new, subj))
2276 * To change the LOMAC label on the vnode to be EQUAL,
2277 * the subject must have appropriate privilege.
2279 if (mac_lomac_contains_equal(new)) {
2280 error = mac_lomac_subject_privileged(subj);
2285 if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
2287 * Fill in the missing parts from the previous label.
2289 if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
2290 mac_lomac_copy_single(subj, new);
2293 * To change the auxiliary LOMAC label on a vnode, the new
2294 * vnode label must be in the subject range.
2296 if (!mac_lomac_auxsingle_in_range(new, subj))
2300 * To change the auxiliary LOMAC label on the vnode to be
2301 * EQUAL, the subject must have appropriate privilege.
2303 if (mac_lomac_contains_equal(new)) {
2304 error = mac_lomac_subject_privileged(subj);
2314 mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2315 struct label *dlabel, struct vnode *vp, struct label *label,
2316 struct componentname *cnp)
2318 struct mac_lomac *subj, *obj;
2320 if (!mac_lomac_enabled)
2323 subj = SLOT(cred->cr_label);
2326 if (!mac_lomac_subject_dominate(subj, obj))
2331 if (!mac_lomac_subject_dominate(subj, obj))
2338 mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2339 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2340 struct componentname *cnp)
2342 struct mac_lomac *subj, *obj;
2344 if (!mac_lomac_enabled)
2347 subj = SLOT(cred->cr_label);
2350 if (!mac_lomac_subject_dominate(subj, obj))
2356 if (!mac_lomac_subject_dominate(subj, obj))
2364 mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2365 struct label *label)
2367 struct mac_lomac *subj, *obj;
2369 if (!mac_lomac_enabled)
2372 subj = SLOT(cred->cr_label);
2375 if (!mac_lomac_subject_dominate(subj, obj))
2382 mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2383 struct label *label, acl_type_t type, struct acl *acl)
2385 struct mac_lomac *subj, *obj;
2387 if (!mac_lomac_enabled)
2390 subj = SLOT(cred->cr_label);
2393 if (!mac_lomac_subject_dominate(subj, obj))
2400 mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2401 struct label *vnodelabel, int attrnamespace, const char *name,
2404 struct mac_lomac *subj, *obj;
2406 if (!mac_lomac_enabled)
2409 subj = SLOT(cred->cr_label);
2410 obj = SLOT(vnodelabel);
2412 if (!mac_lomac_subject_dominate(subj, obj))
2415 /* XXX: protect the MAC EA in a special way? */
2421 mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2422 struct label *vnodelabel, u_long flags)
2424 struct mac_lomac *subj, *obj;
2426 if (!mac_lomac_enabled)
2429 subj = SLOT(cred->cr_label);
2430 obj = SLOT(vnodelabel);
2432 if (!mac_lomac_subject_dominate(subj, obj))
2439 mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2440 struct label *vnodelabel, mode_t mode)
2442 struct mac_lomac *subj, *obj;
2444 if (!mac_lomac_enabled)
2447 subj = SLOT(cred->cr_label);
2448 obj = SLOT(vnodelabel);
2450 if (!mac_lomac_subject_dominate(subj, obj))
2457 mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2458 struct label *vnodelabel, uid_t uid, gid_t gid)
2460 struct mac_lomac *subj, *obj;
2462 if (!mac_lomac_enabled)
2465 subj = SLOT(cred->cr_label);
2466 obj = SLOT(vnodelabel);
2468 if (!mac_lomac_subject_dominate(subj, obj))
2475 mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2476 struct label *vnodelabel, struct timespec atime, struct timespec mtime)
2478 struct mac_lomac *subj, *obj;
2480 if (!mac_lomac_enabled)
2483 subj = SLOT(cred->cr_label);
2484 obj = SLOT(vnodelabel);
2486 if (!mac_lomac_subject_dominate(subj, obj))
2493 mac_lomac_check_vnode_write(struct ucred *active_cred,
2494 struct ucred *file_cred, struct vnode *vp, struct label *label)
2496 struct mac_lomac *subj, *obj;
2498 if (!mac_lomac_enabled || !revocation_enabled)
2501 subj = SLOT(active_cred->cr_label);
2504 if (!mac_lomac_subject_dominate(subj, obj))
2511 mac_lomac_thread_userret(struct thread *td)
2513 struct proc *p = td->td_proc;
2514 struct mac_lomac_proc *subj = PSLOT(p->p_label);
2515 struct ucred *newcred, *oldcred;
2518 mtx_lock(&subj->mtx);
2519 if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
2521 mtx_unlock(&subj->mtx);
2524 * Prevent a lock order reversal in
2525 * mac_cred_mmapped_drop_perms; ideally, the other
2526 * user of subj->mtx wouldn't be holding Giant.
2530 mtx_lock(&subj->mtx);
2532 * Check if we lost the race while allocating the cred.
2534 if ((subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) == 0) {
2538 oldcred = p->p_ucred;
2539 crcopy(newcred, oldcred);
2541 mac_lomac_copy(&subj->mac_lomac, SLOT(newcred->cr_label));
2542 p->p_ucred = newcred;
2546 mtx_unlock(&subj->mtx);
2549 mac_cred_mmapped_drop_perms(curthread, newcred);
2552 mtx_unlock(&subj->mtx);
2556 static struct mac_policy_ops mac_lomac_ops =
2558 .mpo_init = mac_lomac_init,
2559 .mpo_init_bpfdesc_label = mac_lomac_init_label,
2560 .mpo_init_cred_label = mac_lomac_init_label,
2561 .mpo_init_devfsdirent_label = mac_lomac_init_label,
2562 .mpo_init_ifnet_label = mac_lomac_init_label,
2563 .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
2564 .mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
2565 .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
2566 .mpo_init_mount_label = mac_lomac_init_label,
2567 .mpo_init_mount_fs_label = mac_lomac_init_label,
2568 .mpo_init_pipe_label = mac_lomac_init_label,
2569 .mpo_init_proc_label = mac_lomac_init_proc_label,
2570 .mpo_init_socket_label = mac_lomac_init_label_waitcheck,
2571 .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck,
2572 .mpo_init_vnode_label = mac_lomac_init_label,
2573 .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label,
2574 .mpo_destroy_cred_label = mac_lomac_destroy_label,
2575 .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label,
2576 .mpo_destroy_ifnet_label = mac_lomac_destroy_label,
2577 .mpo_destroy_inpcb_label = mac_lomac_destroy_label,
2578 .mpo_destroy_ipq_label = mac_lomac_destroy_label,
2579 .mpo_destroy_mbuf_label = mac_lomac_destroy_label,
2580 .mpo_destroy_mount_label = mac_lomac_destroy_label,
2581 .mpo_destroy_mount_fs_label = mac_lomac_destroy_label,
2582 .mpo_destroy_pipe_label = mac_lomac_destroy_label,
2583 .mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
2584 .mpo_destroy_socket_label = mac_lomac_destroy_label,
2585 .mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
2586 .mpo_destroy_vnode_label = mac_lomac_destroy_label,
2587 .mpo_copy_cred_label = mac_lomac_copy_label,
2588 .mpo_copy_ifnet_label = mac_lomac_copy_label,
2589 .mpo_copy_mbuf_label = mac_lomac_copy_label,
2590 .mpo_copy_pipe_label = mac_lomac_copy_label,
2591 .mpo_copy_socket_label = mac_lomac_copy_label,
2592 .mpo_copy_vnode_label = mac_lomac_copy_label,
2593 .mpo_externalize_cred_label = mac_lomac_externalize_label,
2594 .mpo_externalize_ifnet_label = mac_lomac_externalize_label,
2595 .mpo_externalize_pipe_label = mac_lomac_externalize_label,
2596 .mpo_externalize_socket_label = mac_lomac_externalize_label,
2597 .mpo_externalize_socket_peer_label = mac_lomac_externalize_label,
2598 .mpo_externalize_vnode_label = mac_lomac_externalize_label,
2599 .mpo_internalize_cred_label = mac_lomac_internalize_label,
2600 .mpo_internalize_ifnet_label = mac_lomac_internalize_label,
2601 .mpo_internalize_pipe_label = mac_lomac_internalize_label,
2602 .mpo_internalize_socket_label = mac_lomac_internalize_label,
2603 .mpo_internalize_vnode_label = mac_lomac_internalize_label,
2604 .mpo_create_devfs_device = mac_lomac_create_devfs_device,
2605 .mpo_create_devfs_directory = mac_lomac_create_devfs_directory,
2606 .mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink,
2607 .mpo_create_mount = mac_lomac_create_mount,
2608 .mpo_relabel_vnode = mac_lomac_relabel_vnode,
2609 .mpo_update_devfsdirent = mac_lomac_update_devfsdirent,
2610 .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
2611 .mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
2612 .mpo_associate_vnode_singlelabel =
2613 mac_lomac_associate_vnode_singlelabel,
2614 .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
2615 .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
2616 .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
2617 .mpo_create_pipe = mac_lomac_create_pipe,
2618 .mpo_create_socket = mac_lomac_create_socket,
2619 .mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket,
2620 .mpo_relabel_pipe = mac_lomac_relabel_pipe,
2621 .mpo_relabel_socket = mac_lomac_relabel_socket,
2622 .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf,
2623 .mpo_set_socket_peer_from_socket =
2624 mac_lomac_set_socket_peer_from_socket,
2625 .mpo_create_bpfdesc = mac_lomac_create_bpfdesc,
2626 .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
2627 .mpo_create_fragment = mac_lomac_create_fragment,
2628 .mpo_create_ifnet = mac_lomac_create_ifnet,
2629 .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
2630 .mpo_create_ipq = mac_lomac_create_ipq,
2631 .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
2632 .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
2633 .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
2634 .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,
2635 .mpo_create_mbuf_multicast_encap =
2636 mac_lomac_create_mbuf_multicast_encap,
2637 .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer,
2638 .mpo_fragment_match = mac_lomac_fragment_match,
2639 .mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
2640 .mpo_update_ipq = mac_lomac_update_ipq,
2641 .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
2642 .mpo_execve_transition = mac_lomac_execve_transition,
2643 .mpo_execve_will_transition = mac_lomac_execve_will_transition,
2644 .mpo_create_proc0 = mac_lomac_create_proc0,
2645 .mpo_create_proc1 = mac_lomac_create_proc1,
2646 .mpo_relabel_cred = mac_lomac_relabel_cred,
2647 .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive,
2648 .mpo_check_cred_relabel = mac_lomac_check_cred_relabel,
2649 .mpo_check_cred_visible = mac_lomac_check_cred_visible,
2650 .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel,
2651 .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
2652 .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
2653 .mpo_check_kld_load = mac_lomac_check_kld_load,
2654 .mpo_check_kld_unload = mac_lomac_check_kld_unload,
2655 .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
2656 .mpo_check_pipe_read = mac_lomac_check_pipe_read,
2657 .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
2658 .mpo_check_pipe_write = mac_lomac_check_pipe_write,
2659 .mpo_check_proc_debug = mac_lomac_check_proc_debug,
2660 .mpo_check_proc_sched = mac_lomac_check_proc_sched,
2661 .mpo_check_proc_signal = mac_lomac_check_proc_signal,
2662 .mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
2663 .mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
2664 .mpo_check_socket_visible = mac_lomac_check_socket_visible,
2665 .mpo_check_system_swapon = mac_lomac_check_system_swapon,
2666 .mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
2667 .mpo_check_vnode_access = mac_lomac_check_vnode_open,
2668 .mpo_check_vnode_create = mac_lomac_check_vnode_create,
2669 .mpo_check_vnode_delete = mac_lomac_check_vnode_delete,
2670 .mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl,
2671 .mpo_check_vnode_link = mac_lomac_check_vnode_link,
2672 .mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap,
2673 .mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade,
2674 .mpo_check_vnode_open = mac_lomac_check_vnode_open,
2675 .mpo_check_vnode_read = mac_lomac_check_vnode_read,
2676 .mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel,
2677 .mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from,
2678 .mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to,
2679 .mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke,
2680 .mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl,
2681 .mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr,
2682 .mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags,
2683 .mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode,
2684 .mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner,
2685 .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes,
2686 .mpo_check_vnode_write = mac_lomac_check_vnode_write,
2687 .mpo_thread_userret = mac_lomac_thread_userret,
2690 MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
2691 MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS,
projects / FreeBSD / FreeBSD.git / blob