From e66fe0e1db5b5e074e568fba22bd5b69b1430b6a Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Thu, 21 Dec 2006 09:51:34 +0000 Subject: [PATCH] Remove mac_enforce_subsystem debugging sysctls. Enforcement on subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection). Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com --- sys/kern/kern_mac.c | 4 +- sys/security/mac/mac_framework.c | 4 +- sys/security/mac/mac_inet.c | 3 - sys/security/mac/mac_internal.h | 4 -- sys/security/mac/mac_net.c | 15 ----- sys/security/mac/mac_pipe.c | 23 ------- sys/security/mac/mac_posix_sem.c | 23 ------- sys/security/mac/mac_process.c | 57 ---------------- sys/security/mac/mac_socket.c | 42 ------------ sys/security/mac/mac_syscalls.c | 4 +- sys/security/mac/mac_system.c | 55 ---------------- sys/security/mac/mac_sysv_msg.c | 27 -------- sys/security/mac/mac_sysv_sem.c | 14 ---- sys/security/mac/mac_sysv_shm.c | 18 ----- sys/security/mac/mac_vfs.c | 110 ------------------------------- 15 files changed, 3 insertions(+), 400 deletions(-) diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 080b1ad7afa..a18b853f662 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crhold(newcred); PROC_UNLOCK(p); - if (mac_enforce_vm) { - mac_cred_mmapped_drop_perms(td, newcred); - } + mac_cred_mmapped_drop_perms(td, newcred); crfree(newcred); /* Free revocation reference. */ crfree(oldcred); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 080b1ad7afa..a18b853f662 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crhold(newcred); PROC_UNLOCK(p); - if (mac_enforce_vm) { - mac_cred_mmapped_drop_perms(td, newcred); - } + mac_cred_mmapped_drop_perms(td, newcred); crfree(newcred); /* Free revocation reference. */ crfree(oldcred); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 8802a506a52..d946bb91bb2 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -260,9 +260,6 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) M_ASSERTPKTHDR(m); - if (!mac_enforce_socket) - return (0); - label = mac_mbuf_to_label(m); MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 40146a6829f..24a6cfc5cf2 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -61,10 +61,6 @@ MALLOC_DECLARE(M_MACTEMP); extern struct mac_policy_list_head mac_policy_list; extern struct mac_policy_list_head mac_static_policy_list; extern int mac_late; -extern int mac_enforce_network; -extern int mac_enforce_process; -extern int mac_enforce_socket; -extern int mac_enforce_vm; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; #endif diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 374b3cd2618..95ad63b1017 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -65,15 +65,6 @@ __FBSDID("$FreeBSD$"); #include #include -/* - * mac_enforce_network is used by IPv4 and IPv6 checks, and so must be - * non-static for now. - */ -int mac_enforce_network = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, - &mac_enforce_network, 0, "Enforce MAC policy on network packets"); -TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); - /* * XXXRW: struct ifnet locking is incomplete in the network code, so we use * our own global mutex for struct ifnet. Non-ideal, but should help in the @@ -383,9 +374,6 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) BPFD_LOCK_ASSERT(bpf_d); - if (!mac_enforce_network) - return (0); - MAC_IFNET_LOCK(ifnet); MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, ifnet->if_label); @@ -402,9 +390,6 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) M_ASSERTPKTHDR(mbuf); - if (!mac_enforce_network) - return (0); - label = mac_mbuf_to_label(mbuf); MAC_IFNET_LOCK(ifnet); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index edc031321b3..44755adfb01 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -52,11 +52,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_pipe = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, - &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); -TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); - struct label * mac_pipe_label_alloc(void) { @@ -141,9 +136,6 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data); return (error); @@ -156,9 +148,6 @@ mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label); return (error); @@ -171,9 +160,6 @@ mac_check_pipe_read(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label); return (error); @@ -187,9 +173,6 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel); return (error); @@ -202,9 +185,6 @@ mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label); return (error); @@ -217,9 +197,6 @@ mac_check_pipe_write(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label); return (error); diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index ec05587e004..6c66e7e7af3 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -49,11 +49,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_posix_sem = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW, - &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores"); -TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem); - static struct label * mac_posix_sem_label_alloc(void) { @@ -98,9 +93,6 @@ mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label); return(error); @@ -111,9 +103,6 @@ mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_open, cred, ksemptr, ksemptr->ks_label); return(error); @@ -124,9 +113,6 @@ mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr, ksemptr->ks_label); @@ -138,9 +124,6 @@ mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label); return(error); @@ -151,9 +134,6 @@ mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label); return(error); @@ -164,9 +144,6 @@ mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr) { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label); return(error); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 5a63b0d50d6..43c564e8144 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -67,16 +67,6 @@ __FBSDID("$FreeBSD$"); #include #include -int mac_enforce_process = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, - &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); -TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); - -int mac_enforce_vm = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, - &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); -TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); - static int mac_mmap_revocation = 1; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " @@ -87,11 +77,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); -static int mac_enforce_suid = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW, - &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations"); -TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid); - static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); @@ -466,9 +451,6 @@ mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; - if (!mac_enforce_process) - return (0); - MAC_CHECK(check_cred_visible, u1, u2); return (error); @@ -481,9 +463,6 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_process) - return (0); - MAC_CHECK(check_proc_debug, cred, proc); return (error); @@ -496,9 +475,6 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_process) - return (0); - MAC_CHECK(check_proc_sched, cred, proc); return (error); @@ -511,9 +487,6 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_process) - return (0); - MAC_CHECK(check_proc_signal, cred, proc, signum); return (error); @@ -526,9 +499,6 @@ mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setuid, cred, uid); return (error); } @@ -540,9 +510,6 @@ mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_seteuid, cred, euid); return (error); } @@ -554,9 +521,6 @@ mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setgid, cred, gid); return (error); } @@ -568,9 +532,6 @@ mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setegid, cred, egid); return (error); } @@ -583,9 +544,6 @@ mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); return (error); } @@ -598,9 +556,6 @@ mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid, PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setreuid, cred, ruid, euid); return (error); } @@ -613,9 +568,6 @@ mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setregid, cred, rgid, egid); return (error); } @@ -628,9 +580,6 @@ mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid, PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); return (error); } @@ -643,9 +592,6 @@ mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_suid) - return (0); - MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); return (error); } @@ -657,9 +603,6 @@ mac_check_proc_wait(struct ucred *cred, struct proc *proc) PROC_LOCK_ASSERT(proc, MA_OWNED); - if (!mac_enforce_process) - return (0); - MAC_CHECK(check_proc_wait, cred, proc); return (error); diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 2a2dfa43529..28985197e4e 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -72,15 +72,6 @@ __FBSDID("$FreeBSD$"); #include #include -/* - * mac_enforce_socket is used by the inet code when delivering to an inpcb - * without hitting the socket layer, and has to be non-static for now. - */ -int mac_enforce_socket = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, - &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); -TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); - /* * Currently, sockets hold two labels: the label of the socket itself, and a * peer label, which may be used by policies to hold a copy of the label of @@ -285,9 +276,6 @@ mac_check_socket_accept(struct ucred *cred, struct socket *socket) SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); return (error); @@ -301,9 +289,6 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket, SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, sockaddr); @@ -318,9 +303,6 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket, SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, sockaddr); @@ -333,9 +315,6 @@ mac_check_socket_create(struct ucred *cred, int domain, int type, { int error; - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_create, cred, domain, type, protocol); return (error); @@ -349,9 +328,6 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - label = mac_mbuf_to_label(mbuf); MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, @@ -367,9 +343,6 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); return (error); } @@ -381,9 +354,6 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_poll, cred, so, so->so_label); return (error); } @@ -395,9 +365,6 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_receive, cred, so, so->so_label); return (error); @@ -424,9 +391,6 @@ mac_check_socket_send(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_send, cred, so, so->so_label); return (error); @@ -439,9 +403,6 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_stat, cred, so, so->so_label); return (error); @@ -454,9 +415,6 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) SOCK_LOCK_ASSERT(socket); - if (!mac_enforce_socket) - return (0); - MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); return (error); diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 080b1ad7afa..a18b853f662 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crhold(newcred); PROC_UNLOCK(p); - if (mac_enforce_vm) { - mac_cred_mmapped_drop_perms(td, newcred); - } + mac_cred_mmapped_drop_perms(td, newcred); crfree(newcred); /* Free revocation reference. */ crfree(oldcred); diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 79108a3d105..b6ad19264f2 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -50,16 +50,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_kld = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, - &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); -TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); - -static int mac_enforce_system = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, - &mac_enforce_system, 0, "Enforce MAC policy on system operations"); -TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); - /* * XXXRW: Some of these checks now duplicate privilege checks. However, * others provide additional security context that may be useful to policies. @@ -71,9 +61,6 @@ mac_check_kenv_dump(struct ucred *cred) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_kenv_dump, cred); return (error); @@ -84,9 +71,6 @@ mac_check_kenv_get(struct ucred *cred, char *name) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_kenv_get, cred, name); return (error); @@ -97,9 +81,6 @@ mac_check_kenv_set(struct ucred *cred, char *name, char *value) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_kenv_set, cred, name, value); return (error); @@ -110,9 +91,6 @@ mac_check_kenv_unset(struct ucred *cred, char *name) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_kenv_unset, cred, name); return (error); @@ -125,9 +103,6 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); - if (!mac_enforce_kld) - return (0); - MAC_CHECK(check_kld_load, cred, vp, vp->v_label); return (error); @@ -138,9 +113,6 @@ mac_check_kld_stat(struct ucred *cred) { int error; - if (!mac_enforce_kld) - return (0); - MAC_CHECK(check_kld_stat, cred); return (error); @@ -151,9 +123,6 @@ mac_check_kld_unload(struct ucred *cred) { int error; - if (!mac_enforce_kld) - return (0); - MAC_CHECK(check_kld_unload, cred); return (error); @@ -164,9 +133,6 @@ mac_check_sysarch_ioperm(struct ucred *cred) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_sysarch_ioperm, cred); return (error); } @@ -180,9 +146,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); } - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_acct, cred, vp, vp != NULL ? vp->v_label : NULL); @@ -194,9 +157,6 @@ mac_check_system_nfsd(struct ucred *cred) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_nfsd, cred); return (error); @@ -207,9 +167,6 @@ mac_check_system_reboot(struct ucred *cred, int howto) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_reboot, cred, howto); return (error); @@ -220,9 +177,6 @@ mac_check_system_settime(struct ucred *cred) { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_settime, cred); return (error); @@ -235,9 +189,6 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); return (error); } @@ -249,9 +200,6 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); return (error); } @@ -266,9 +214,6 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - if (!mac_enforce_system) - return (0); - MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); return (error); diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index 8e66281a3bb..95d79ce6db4 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_sysv_msg = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW, - &mac_enforce_sysv_msg, 0, - "Enforce MAC policy on System V IPC Message Queues"); -TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg); - static struct label * mac_sysv_msgmsg_label_alloc(void) { @@ -162,9 +156,6 @@ mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr, msqkptr->label); @@ -176,9 +167,6 @@ mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr) { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label); return(error); @@ -189,9 +177,6 @@ mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr) { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label); return(error); @@ -202,9 +187,6 @@ mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label); return(error); @@ -215,9 +197,6 @@ mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label); return(error); @@ -228,9 +207,6 @@ mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label); return(error); @@ -242,9 +218,6 @@ mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd); return(error); diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index aae67884c0f..80778c3ec2e 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -54,11 +54,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_sysv_sem = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW, - &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores"); -TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem); - static struct label * mac_sysv_sem_label_alloc(void) { @@ -112,9 +107,6 @@ mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd); return(error); @@ -125,9 +117,6 @@ mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr) { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label); return(error); @@ -139,9 +128,6 @@ mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label, accesstype); diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index b7c8cfb5df8..7bdffdb4a53 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$"); #include #include -static int mac_enforce_sysv_shm = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW, - &mac_enforce_sysv_shm, 0, - "Enforce MAC policy on System V IPC shared memory"); -TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm); - static struct label * mac_sysv_shm_label_alloc(void) { @@ -113,9 +107,6 @@ mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label, shmflg); @@ -128,9 +119,6 @@ mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label, cmd); @@ -142,9 +130,6 @@ mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label); return(error); @@ -156,9 +141,6 @@ mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label, shmflg); diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 403bc1c29ee..b5901f9fbd3 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -79,11 +79,6 @@ __FBSDID("$FreeBSD$"); */ static int ea_warn_once = 0; -static int mac_enforce_fs = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, - &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); -TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); - static int mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); @@ -351,9 +346,6 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); - if (!mac_enforce_process && !mac_enforce_fs) - return; - MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } @@ -366,9 +358,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); - if (!mac_enforce_process && !mac_enforce_fs) - return (0); - result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); @@ -383,9 +372,6 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); return (error); } @@ -397,9 +383,6 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); return (error); } @@ -411,9 +394,6 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); return (error); } @@ -426,9 +406,6 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } @@ -442,9 +419,6 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); @@ -458,9 +432,6 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); return (error); } @@ -473,9 +444,6 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); @@ -489,9 +457,6 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); - if (!mac_enforce_process && !mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); @@ -505,9 +470,6 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); return (error); } @@ -520,9 +482,6 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); @@ -537,9 +496,6 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); @@ -553,9 +509,6 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); @@ -569,9 +522,6 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); return (error); } @@ -584,9 +534,6 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); - if (!mac_enforce_fs || !mac_enforce_vm) - return (0); - MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags); return (error); } @@ -598,9 +545,6 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); - if (!mac_enforce_fs || !mac_enforce_vm) - return; - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, &result); @@ -614,9 +558,6 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); - if (!mac_enforce_fs || !mac_enforce_vm) - return (0); - MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); return (error); } @@ -628,9 +569,6 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); return (error); } @@ -643,9 +581,6 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, vp->v_label); @@ -660,9 +595,6 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, vp->v_label); @@ -676,9 +608,6 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); return (error); } @@ -690,9 +619,6 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); return (error); } @@ -719,9 +645,6 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); @@ -736,9 +659,6 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); @@ -751,9 +671,6 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); return (error); } @@ -766,9 +683,6 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); return (error); } @@ -781,9 +695,6 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); @@ -796,9 +707,6 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); return (error); } @@ -810,9 +718,6 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); return (error); } @@ -825,9 +730,6 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); return (error); } @@ -840,9 +742,6 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); @@ -856,9 +755,6 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, vp->v_label); return (error); @@ -872,9 +768,6 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, vp->v_label); @@ -901,9 +794,6 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; - if (!mac_enforce_fs) - return (0); - MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel); return (error); -- 2.45.2