2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Developed by the TrustedBSD Project.
40 * Biba fixed label mandatory integrity policy.
43 #include <sys/param.h>
45 #include <sys/extattr.h>
46 #include <sys/kernel.h>
48 #include <sys/malloc.h>
50 #include <sys/mount.h>
54 #include <sys/systm.h>
55 #include <sys/sysproto.h>
56 #include <sys/sysent.h>
57 #include <sys/systm.h>
58 #include <sys/vnode.h>
60 #include <sys/socket.h>
61 #include <sys/socketvar.h>
64 #include <sys/sysctl.h>
69 #include <fs/devfs/devfs.h>
71 #include <net/bpfdesc.h>
73 #include <net/if_types.h>
74 #include <net/if_var.h>
76 #include <netinet/in.h>
77 #include <netinet/in_pcb.h>
78 #include <netinet/ip_var.h>
83 #include <security/mac/mac_policy.h>
84 #include <security/mac_biba/mac_biba.h>
86 SYSCTL_DECL(_security_mac);
88 SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
89 "TrustedBSD mac_biba policy controls");
91 static int biba_label_size = sizeof(struct mac_biba);
92 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
93 &biba_label_size, 0, "Size of struct mac_biba");
95 static int biba_enabled = 1;
96 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &biba_enabled,
97 0, "Enforce MAC/Biba policy");
98 TUNABLE_INT("security.mac.biba.enabled", &biba_enabled);
100 static int destroyed_not_inited;
101 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
102 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
104 static int trust_all_interfaces = 0;
105 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
106 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
107 TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
109 static char trusted_interfaces[128];
110 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
111 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
112 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
113 sizeof(trusted_interfaces));
115 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
116 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
117 &max_compartments, 0, "Maximum supported compartments");
119 static int ptys_equal = 0;
120 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal,
121 0, "Label pty devices as biba/equal on create");
122 TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
124 static int interfaces_equal;
125 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW,
126 &interfaces_equal, 0, "Label network interfaces as biba/equal on create");
127 TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal);
129 static int revocation_enabled = 0;
130 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
131 &revocation_enabled, 0, "Revoke access to objects on relabel");
132 TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
134 static int biba_slot;
135 #define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot))
136 #define SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val))
138 static uma_zone_t zone_biba;
141 biba_bit_set_empty(u_char *set) {
144 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
150 static struct mac_biba *
154 return (uma_zalloc(zone_biba, flag | M_ZERO));
158 biba_free(struct mac_biba *mb)
162 uma_zfree(zone_biba, mb);
164 atomic_add_int(&destroyed_not_inited, 1);
168 biba_atmostflags(struct mac_biba *mb, int flags)
171 if ((mb->mb_flags & flags) != mb->mb_flags)
177 biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b)
181 switch (a->mbe_type) {
182 case MAC_BIBA_TYPE_EQUAL:
183 case MAC_BIBA_TYPE_HIGH:
186 case MAC_BIBA_TYPE_LOW:
187 switch (b->mbe_type) {
188 case MAC_BIBA_TYPE_GRADE:
189 case MAC_BIBA_TYPE_HIGH:
192 case MAC_BIBA_TYPE_EQUAL:
193 case MAC_BIBA_TYPE_LOW:
197 panic("biba_dominate_element: b->mbe_type invalid");
200 case MAC_BIBA_TYPE_GRADE:
201 switch (b->mbe_type) {
202 case MAC_BIBA_TYPE_EQUAL:
203 case MAC_BIBA_TYPE_LOW:
206 case MAC_BIBA_TYPE_HIGH:
209 case MAC_BIBA_TYPE_GRADE:
210 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
211 if (!MAC_BIBA_BIT_TEST(bit,
212 a->mbe_compartments) &&
213 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
215 return (a->mbe_grade >= b->mbe_grade);
218 panic("biba_dominate_element: b->mbe_type invalid");
222 panic("biba_dominate_element: a->mbe_type invalid");
229 biba_subject_dominate_high(struct mac_biba *mb)
231 struct mac_biba_element *element;
233 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
234 ("biba_effective_in_range: mb not effective"));
235 element = &mb->mb_effective;
237 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
238 element->mbe_type == MAC_BIBA_TYPE_HIGH);
242 biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
245 return (biba_dominate_element(&rangeb->mb_rangehigh,
246 &rangea->mb_rangehigh) &&
247 biba_dominate_element(&rangea->mb_rangelow,
248 &rangeb->mb_rangelow));
252 biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range)
255 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
256 ("biba_effective_in_range: a not effective"));
257 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
258 ("biba_effective_in_range: b not range"));
260 return (biba_dominate_element(&range->mb_rangehigh,
261 &effective->mb_effective) &&
262 biba_dominate_element(&effective->mb_effective,
263 &range->mb_rangelow));
269 biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
271 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
272 ("biba_dominate_effective: a not effective"));
273 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
274 ("biba_dominate_effective: b not effective"));
276 return (biba_dominate_element(&a->mb_effective, &b->mb_effective));
280 biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
283 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
284 b->mbe_type == MAC_BIBA_TYPE_EQUAL)
287 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
291 biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
294 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
295 ("biba_equal_effective: a not effective"));
296 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
297 ("biba_equal_effective: b not effective"));
299 return (biba_equal_element(&a->mb_effective, &b->mb_effective));
303 biba_contains_equal(struct mac_biba *mb)
306 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
307 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
311 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
312 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
314 if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
322 biba_subject_privileged(struct mac_biba *mb)
325 KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH,
326 ("biba_subject_privileged: subject doesn't have both labels"));
328 /* If the effective is EQUAL, it's ok. */
329 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
332 /* If either range endpoint is EQUAL, it's ok. */
333 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
334 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
337 /* If the range is low-high, it's ok. */
338 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
339 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
347 biba_high_effective(struct mac_biba *mb)
350 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
351 ("biba_equal_effective: mac_biba not effective"));
353 return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
357 biba_valid(struct mac_biba *mb)
360 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
361 switch (mb->mb_effective.mbe_type) {
362 case MAC_BIBA_TYPE_GRADE:
365 case MAC_BIBA_TYPE_EQUAL:
366 case MAC_BIBA_TYPE_HIGH:
367 case MAC_BIBA_TYPE_LOW:
368 if (mb->mb_effective.mbe_grade != 0 ||
369 !MAC_BIBA_BIT_SET_EMPTY(
370 mb->mb_effective.mbe_compartments))
378 if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
382 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
383 switch (mb->mb_rangelow.mbe_type) {
384 case MAC_BIBA_TYPE_GRADE:
387 case MAC_BIBA_TYPE_EQUAL:
388 case MAC_BIBA_TYPE_HIGH:
389 case MAC_BIBA_TYPE_LOW:
390 if (mb->mb_rangelow.mbe_grade != 0 ||
391 !MAC_BIBA_BIT_SET_EMPTY(
392 mb->mb_rangelow.mbe_compartments))
400 switch (mb->mb_rangehigh.mbe_type) {
401 case MAC_BIBA_TYPE_GRADE:
404 case MAC_BIBA_TYPE_EQUAL:
405 case MAC_BIBA_TYPE_HIGH:
406 case MAC_BIBA_TYPE_LOW:
407 if (mb->mb_rangehigh.mbe_grade != 0 ||
408 !MAC_BIBA_BIT_SET_EMPTY(
409 mb->mb_rangehigh.mbe_compartments))
416 if (!biba_dominate_element(&mb->mb_rangehigh,
420 if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
421 mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
429 biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow,
430 u_char *compartmentslow, u_short typehigh, u_short gradehigh,
431 u_char *compartmentshigh)
434 mb->mb_rangelow.mbe_type = typelow;
435 mb->mb_rangelow.mbe_grade = gradelow;
436 if (compartmentslow != NULL)
437 memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow,
438 sizeof(mb->mb_rangelow.mbe_compartments));
439 mb->mb_rangehigh.mbe_type = typehigh;
440 mb->mb_rangehigh.mbe_grade = gradehigh;
441 if (compartmentshigh != NULL)
442 memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh,
443 sizeof(mb->mb_rangehigh.mbe_compartments));
444 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
448 biba_set_effective(struct mac_biba *mb, u_short type, u_short grade,
449 u_char *compartments)
452 mb->mb_effective.mbe_type = type;
453 mb->mb_effective.mbe_grade = grade;
454 if (compartments != NULL)
455 memcpy(mb->mb_effective.mbe_compartments, compartments,
456 sizeof(mb->mb_effective.mbe_compartments));
457 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
461 biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
464 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
465 ("biba_copy_range: labelfrom not range"));
467 labelto->mb_rangelow = labelfrom->mb_rangelow;
468 labelto->mb_rangehigh = labelfrom->mb_rangehigh;
469 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
473 biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
476 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
477 ("biba_copy_effective: labelfrom not effective"));
479 labelto->mb_effective = labelfrom->mb_effective;
480 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
484 biba_copy(struct mac_biba *source, struct mac_biba *dest)
487 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
488 biba_copy_effective(source, dest);
489 if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
490 biba_copy_range(source, dest);
494 * Policy module operations.
497 biba_init(struct mac_policy_conf *conf)
500 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL,
501 NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
508 biba_init_label(struct label *label)
511 SLOT_SET(label, biba_alloc(M_WAITOK));
515 biba_init_label_waitcheck(struct label *label, int flag)
518 SLOT_SET(label, biba_alloc(flag));
519 if (SLOT(label) == NULL)
526 biba_destroy_label(struct label *label)
529 biba_free(SLOT(label));
530 SLOT_SET(label, NULL);
534 * biba_element_to_string() accepts an sbuf and Biba element. It converts
535 * the Biba element to a string and stores the result in the sbuf; if there
536 * isn't space in the sbuf, -1 is returned.
539 biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element)
543 switch (element->mbe_type) {
544 case MAC_BIBA_TYPE_HIGH:
545 return (sbuf_printf(sb, "high"));
547 case MAC_BIBA_TYPE_LOW:
548 return (sbuf_printf(sb, "low"));
550 case MAC_BIBA_TYPE_EQUAL:
551 return (sbuf_printf(sb, "equal"));
553 case MAC_BIBA_TYPE_GRADE:
554 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1)
558 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) {
559 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) {
561 if (sbuf_putc(sb, ':') == -1)
563 if (sbuf_printf(sb, "%d", i) == -1)
567 if (sbuf_printf(sb, "+%d", i) == -1)
575 panic("biba_element_to_string: invalid type (%d)",
581 * biba_to_string() converts a Biba label to a string, and places the results
582 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
583 * room in the sbuf. Note: the sbuf will be modified even in a failure case,
584 * so the caller may need to revert the sbuf by restoring the offset if
588 biba_to_string(struct sbuf *sb, struct mac_biba *mb)
591 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
592 if (biba_element_to_string(sb, &mb->mb_effective) == -1)
596 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
597 if (sbuf_putc(sb, '(') == -1)
600 if (biba_element_to_string(sb, &mb->mb_rangelow) == -1)
603 if (sbuf_putc(sb, '-') == -1)
606 if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1)
609 if (sbuf_putc(sb, ')') == -1)
617 biba_externalize_label(struct label *label, char *element_name,
618 struct sbuf *sb, int *claimed)
622 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
628 return (biba_to_string(sb, mb));
632 biba_parse_element(struct mac_biba_element *element, char *string)
634 char *compartment, *end, *grade;
637 if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
638 element->mbe_type = MAC_BIBA_TYPE_HIGH;
639 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
640 } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
641 element->mbe_type = MAC_BIBA_TYPE_LOW;
642 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
643 } else if (strcmp(string, "equal") == 0 ||
644 strcmp(string, "eq") == 0) {
645 element->mbe_type = MAC_BIBA_TYPE_EQUAL;
646 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
648 element->mbe_type = MAC_BIBA_TYPE_GRADE;
651 * Numeric grade piece of the element.
653 grade = strsep(&string, ":");
654 value = strtol(grade, &end, 10);
655 if (end == grade || *end != '\0')
657 if (value < 0 || value > 65535)
659 element->mbe_grade = value;
662 * Optional compartment piece of the element. If none are
663 * included, we assume that the label has no compartments.
670 while ((compartment = strsep(&string, "+")) != NULL) {
671 value = strtol(compartment, &end, 10);
672 if (compartment == end || *end != '\0')
674 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS)
676 MAC_BIBA_BIT_SET(value, element->mbe_compartments);
684 * Note: destructively consumes the string, make a local copy before calling
685 * if that's a problem.
688 biba_parse(struct mac_biba *mb, char *string)
690 char *rangehigh, *rangelow, *effective;
693 effective = strsep(&string, "(");
694 if (*effective == '\0')
697 if (string != NULL) {
698 rangelow = strsep(&string, "-");
701 rangehigh = strsep(&string, ")");
711 KASSERT((rangelow != NULL && rangehigh != NULL) ||
712 (rangelow == NULL && rangehigh == NULL),
713 ("biba_parse: range mismatch"));
715 bzero(mb, sizeof(*mb));
716 if (effective != NULL) {
717 error = biba_parse_element(&mb->mb_effective, effective);
720 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
723 if (rangelow != NULL) {
724 error = biba_parse_element(&mb->mb_rangelow, rangelow);
727 error = biba_parse_element(&mb->mb_rangehigh, rangehigh);
730 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
733 error = biba_valid(mb);
741 biba_internalize_label(struct label *label, char *element_name,
742 char *element_data, int *claimed)
744 struct mac_biba *mb, mb_temp;
747 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
752 error = biba_parse(&mb_temp, element_data);
763 biba_copy_label(struct label *src, struct label *dest)
766 *SLOT(dest) = *SLOT(src);
770 * Labeling event operations: file system objects, and things that look a lot
771 * like file system objects.
774 biba_create_devfs_device(struct ucred *cred, struct mount *mp,
775 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
781 if (strcmp(dev->si_name, "null") == 0 ||
782 strcmp(dev->si_name, "zero")== 0 ||
783 strcmp(dev->si_name, "random") == 0 ||
784 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
785 biba_type = MAC_BIBA_TYPE_EQUAL;
786 else if (ptys_equal &&
787 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
788 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
789 biba_type = MAC_BIBA_TYPE_EQUAL;
791 biba_type = MAC_BIBA_TYPE_HIGH;
792 biba_set_effective(mb, biba_type, 0, NULL);
796 biba_create_devfs_directory(struct mount *mp, char *dirname,
797 int dirnamelen, struct devfs_dirent *de, struct label *delabel)
802 biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
806 biba_create_devfs_symlink(struct ucred *cred, struct mount *mp,
807 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
808 struct label *delabel)
810 struct mac_biba *source, *dest;
812 source = SLOT(cred->cr_label);
813 dest = SLOT(delabel);
815 biba_copy_effective(source, dest);
819 biba_create_mount(struct ucred *cred, struct mount *mp,
820 struct label *mplabel)
822 struct mac_biba *source, *dest;
824 source = SLOT(cred->cr_label);
825 dest = SLOT(mplabel);
827 biba_copy_effective(source, dest);
831 biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
832 struct label *vplabel, struct label *newlabel)
834 struct mac_biba *source, *dest;
836 source = SLOT(newlabel);
837 dest = SLOT(vplabel);
839 biba_copy(source, dest);
843 biba_update_devfs(struct mount *mp, struct devfs_dirent *de,
844 struct label *delabel, struct vnode *vp, struct label *vplabel)
846 struct mac_biba *source, *dest;
848 source = SLOT(vplabel);
849 dest = SLOT(delabel);
851 biba_copy(source, dest);
855 biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
856 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
857 struct label *vplabel)
859 struct mac_biba *source, *dest;
861 source = SLOT(delabel);
862 dest = SLOT(vplabel);
864 biba_copy_effective(source, dest);
868 biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
869 struct vnode *vp, struct label *vplabel)
871 struct mac_biba temp, *source, *dest;
874 source = SLOT(mplabel);
875 dest = SLOT(vplabel);
877 buflen = sizeof(temp);
878 bzero(&temp, buflen);
880 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
881 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
882 if (error == ENOATTR || error == EOPNOTSUPP) {
883 /* Fall back to the mntlabel. */
884 biba_copy_effective(source, dest);
889 if (buflen != sizeof(temp)) {
890 printf("biba_associate_vnode_extattr: bad size %d\n",
894 if (biba_valid(&temp) != 0) {
895 printf("biba_associate_vnode_extattr: invalid\n");
898 if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) {
899 printf("biba_associate_vnode_extattr: not effective\n");
903 biba_copy_effective(&temp, dest);
908 biba_associate_vnode_singlelabel(struct mount *mp,
909 struct label *mplabel, struct vnode *vp, struct label *vplabel)
911 struct mac_biba *source, *dest;
913 source = SLOT(mplabel);
914 dest = SLOT(vplabel);
916 biba_copy_effective(source, dest);
920 biba_create_vnode_extattr(struct ucred *cred, struct mount *mp,
921 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
922 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
924 struct mac_biba *source, *dest, temp;
928 buflen = sizeof(temp);
929 bzero(&temp, buflen);
931 source = SLOT(cred->cr_label);
932 dest = SLOT(vplabel);
933 biba_copy_effective(source, &temp);
935 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
936 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
938 biba_copy_effective(source, dest);
943 biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
944 struct label *vplabel, struct label *intlabel)
946 struct mac_biba *source, temp;
950 buflen = sizeof(temp);
951 bzero(&temp, buflen);
953 source = SLOT(intlabel);
954 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
957 biba_copy_effective(source, &temp);
959 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
960 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
965 * Labeling event operations: IPC object.
968 biba_create_inpcb_from_socket(struct socket *so, struct label *solabel,
969 struct inpcb *inp, struct label *inplabel)
971 struct mac_biba *source, *dest;
973 source = SLOT(solabel);
974 dest = SLOT(inplabel);
976 biba_copy_effective(source, dest);
980 biba_create_mbuf_from_socket(struct socket *so, struct label *solabel,
981 struct mbuf *m, struct label *mlabel)
983 struct mac_biba *source, *dest;
985 source = SLOT(solabel);
988 biba_copy_effective(source, dest);
992 biba_create_socket(struct ucred *cred, struct socket *so,
993 struct label *solabel)
995 struct mac_biba *source, *dest;
997 source = SLOT(cred->cr_label);
998 dest = SLOT(solabel);
1000 biba_copy_effective(source, dest);
1004 biba_create_pipe(struct ucred *cred, struct pipepair *pp,
1005 struct label *pplabel)
1007 struct mac_biba *source, *dest;
1009 source = SLOT(cred->cr_label);
1010 dest = SLOT(pplabel);
1012 biba_copy_effective(source, dest);
1016 biba_create_posix_sem(struct ucred *cred, struct ksem *ks,
1017 struct label *kslabel)
1019 struct mac_biba *source, *dest;
1021 source = SLOT(cred->cr_label);
1022 dest = SLOT(kslabel);
1024 biba_copy_effective(source, dest);
1028 biba_create_socket_from_socket(struct socket *oldso,
1029 struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
1031 struct mac_biba *source, *dest;
1033 source = SLOT(oldsolabel);
1034 dest = SLOT(newsolabel);
1036 biba_copy_effective(source, dest);
1040 biba_relabel_socket(struct ucred *cred, struct socket *so,
1041 struct label *solabel, struct label *newlabel)
1043 struct mac_biba *source, *dest;
1045 source = SLOT(newlabel);
1046 dest = SLOT(solabel);
1048 biba_copy(source, dest);
1052 biba_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1053 struct label *pplabel, struct label *newlabel)
1055 struct mac_biba *source, *dest;
1057 source = SLOT(newlabel);
1058 dest = SLOT(pplabel);
1060 biba_copy(source, dest);
1064 biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
1065 struct socket *so, struct label *sopeerlabel)
1067 struct mac_biba *source, *dest;
1069 source = SLOT(mlabel);
1070 dest = SLOT(sopeerlabel);
1072 biba_copy_effective(source, dest);
1076 * Labeling event operations: System V IPC objects.
1079 biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1080 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1082 struct mac_biba *source, *dest;
1084 /* Ignore the msgq label */
1085 source = SLOT(cred->cr_label);
1086 dest = SLOT(msglabel);
1088 biba_copy_effective(source, dest);
1092 biba_create_sysv_msgqueue(struct ucred *cred,
1093 struct msqid_kernel *msqkptr, struct label *msqlabel)
1095 struct mac_biba *source, *dest;
1097 source = SLOT(cred->cr_label);
1098 dest = SLOT(msqlabel);
1100 biba_copy_effective(source, dest);
1104 biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1105 struct label *semalabel)
1107 struct mac_biba *source, *dest;
1109 source = SLOT(cred->cr_label);
1110 dest = SLOT(semalabel);
1112 biba_copy_effective(source, dest);
1116 biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1117 struct label *shmlabel)
1119 struct mac_biba *source, *dest;
1121 source = SLOT(cred->cr_label);
1122 dest = SLOT(shmlabel);
1124 biba_copy_effective(source, dest);
1128 * Labeling event operations: network objects.
1131 biba_set_socket_peer_from_socket(struct socket *oldso,
1132 struct label *oldsolabel, struct socket *newso,
1133 struct label *newsopeerlabel)
1135 struct mac_biba *source, *dest;
1137 source = SLOT(oldsolabel);
1138 dest = SLOT(newsopeerlabel);
1140 biba_copy_effective(source, dest);
1144 biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
1145 struct label *dlabel)
1147 struct mac_biba *source, *dest;
1149 source = SLOT(cred->cr_label);
1150 dest = SLOT(dlabel);
1152 biba_copy_effective(source, dest);
1156 biba_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
1158 char tifname[IFNAMSIZ], *p, *q;
1159 char tiflist[sizeof(trusted_interfaces)];
1160 struct mac_biba *dest;
1163 dest = SLOT(ifplabel);
1165 if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
1166 type = MAC_BIBA_TYPE_EQUAL;
1170 if (trust_all_interfaces) {
1171 type = MAC_BIBA_TYPE_HIGH;
1175 type = MAC_BIBA_TYPE_LOW;
1177 if (trusted_interfaces[0] == '\0' ||
1178 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
1181 bzero(tiflist, sizeof(tiflist));
1182 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
1183 if(*p != ' ' && *p != '\t')
1186 for (p = q = tiflist;; p++) {
1187 if (*p == ',' || *p == '\0') {
1189 if (len < IFNAMSIZ) {
1190 bzero(tifname, sizeof(tifname));
1191 bcopy(q, tifname, len);
1192 if (strcmp(tifname, ifp->if_xname) == 0) {
1193 type = MAC_BIBA_TYPE_HIGH;
1198 printf("mac_biba warning: interface name "
1199 "\"%s\" is too long (must be < %d)\n",
1208 biba_set_effective(dest, type, 0, NULL);
1209 biba_set_range(dest, type, 0, NULL, type, 0, NULL);
1213 biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *q,
1214 struct label *qlabel)
1216 struct mac_biba *source, *dest;
1218 source = SLOT(mlabel);
1219 dest = SLOT(qlabel);
1221 biba_copy_effective(source, dest);
1225 biba_create_datagram_from_ipq(struct ipq *q, struct label *qlabel,
1226 struct mbuf *m, struct label *mlabel)
1228 struct mac_biba *source, *dest;
1230 source = SLOT(qlabel);
1231 dest = SLOT(mlabel);
1233 /* Just use the head, since we require them all to match. */
1234 biba_copy_effective(source, dest);
1238 biba_create_fragment(struct mbuf *m, struct label *mlabel,
1239 struct mbuf *frag, struct label *fraglabel)
1241 struct mac_biba *source, *dest;
1243 source = SLOT(mlabel);
1244 dest = SLOT(fraglabel);
1246 biba_copy_effective(source, dest);
1250 biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1251 struct mbuf *m, struct label *mlabel)
1253 struct mac_biba *source, *dest;
1255 source = SLOT(inplabel);
1256 dest = SLOT(mlabel);
1258 biba_copy_effective(source, dest);
1262 biba_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
1263 struct mbuf *m, struct label *mlabel)
1265 struct mac_biba *dest;
1267 dest = SLOT(mlabel);
1269 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1273 biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
1274 struct mbuf *m, struct label *mlabel)
1276 struct mac_biba *source, *dest;
1278 source = SLOT(dlabel);
1279 dest = SLOT(mlabel);
1281 biba_copy_effective(source, dest);
1285 biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
1286 struct mbuf *m, struct label *mlabel)
1288 struct mac_biba *source, *dest;
1290 source = SLOT(ifplabel);
1291 dest = SLOT(mlabel);
1293 biba_copy_effective(source, dest);
1297 biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
1298 struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
1299 struct label *mnewlabel)
1301 struct mac_biba *source, *dest;
1303 source = SLOT(mlabel);
1304 dest = SLOT(mnewlabel);
1306 biba_copy_effective(source, dest);
1310 biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
1311 struct mbuf *newm, struct label *mnewlabel)
1313 struct mac_biba *source, *dest;
1315 source = SLOT(mlabel);
1316 dest = SLOT(mnewlabel);
1318 biba_copy_effective(source, dest);
1322 biba_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
1323 struct label *qlabel)
1325 struct mac_biba *a, *b;
1330 return (biba_equal_effective(a, b));
1334 biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
1335 struct label *ifplabel, struct label *newlabel)
1337 struct mac_biba *source, *dest;
1339 source = SLOT(newlabel);
1340 dest = SLOT(ifplabel);
1342 biba_copy(source, dest);
1346 biba_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *q,
1347 struct label *qlabel)
1350 /* NOOP: we only accept matching labels, so no need to update */
1354 biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1355 struct inpcb *inp, struct label *inplabel)
1357 struct mac_biba *source, *dest;
1359 source = SLOT(solabel);
1360 dest = SLOT(inplabel);
1362 biba_copy(source, dest);
1366 biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label)
1368 struct mac_biba *dest;
1372 /* XXX: where is the label for the firewall really comming from? */
1373 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1377 * Labeling event operations: processes.
1380 biba_create_proc0(struct ucred *cred)
1382 struct mac_biba *dest;
1384 dest = SLOT(cred->cr_label);
1386 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1387 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
1392 biba_create_proc1(struct ucred *cred)
1394 struct mac_biba *dest;
1396 dest = SLOT(cred->cr_label);
1398 biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
1399 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
1404 biba_relabel_cred(struct ucred *cred, struct label *newlabel)
1406 struct mac_biba *source, *dest;
1408 source = SLOT(newlabel);
1409 dest = SLOT(cred->cr_label);
1411 biba_copy(source, dest);
1415 * Label cleanup/flush operations
1418 biba_cleanup_sysv_msgmsg(struct label *msglabel)
1421 bzero(SLOT(msglabel), sizeof(struct mac_biba));
1425 biba_cleanup_sysv_msgqueue(struct label *msqlabel)
1428 bzero(SLOT(msqlabel), sizeof(struct mac_biba));
1432 biba_cleanup_sysv_sem(struct label *semalabel)
1435 bzero(SLOT(semalabel), sizeof(struct mac_biba));
1439 biba_cleanup_sysv_shm(struct label *shmlabel)
1441 bzero(SLOT(shmlabel), sizeof(struct mac_biba));
1445 * Access control checks.
1448 biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
1449 struct ifnet *ifp, struct label *ifplabel)
1451 struct mac_biba *a, *b;
1459 if (biba_equal_effective(a, b))
1465 biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1467 struct mac_biba *subj, *new;
1470 subj = SLOT(cred->cr_label);
1471 new = SLOT(newlabel);
1474 * If there is a Biba label update for the credential, it may be an
1475 * update of the effective, range, or both.
1477 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1482 * If the Biba label is to be changed, authorize as appropriate.
1484 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
1486 * If the change request modifies both the Biba label
1487 * effective and range, check that the new effective will be
1490 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
1491 MAC_BIBA_FLAGS_BOTH &&
1492 !biba_effective_in_range(new, new))
1496 * To change the Biba effective label on a credential, the
1497 * new effective label must be in the current range.
1499 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
1500 !biba_effective_in_range(new, subj))
1504 * To change the Biba range on a credential, the new range
1505 * label must be in the current range.
1507 if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
1508 !biba_range_in_range(new, subj))
1512 * To have EQUAL in any component of the new credential Biba
1513 * label, the subject must already have EQUAL in their label.
1515 if (biba_contains_equal(new)) {
1516 error = biba_subject_privileged(subj);
1526 biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
1528 struct mac_biba *subj, *obj;
1533 subj = SLOT(u1->cr_label);
1534 obj = SLOT(u2->cr_label);
1537 if (!biba_dominate_effective(obj, subj))
1544 biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1545 struct label *ifplabel, struct label *newlabel)
1547 struct mac_biba *subj, *new;
1550 subj = SLOT(cred->cr_label);
1551 new = SLOT(newlabel);
1554 * If there is a Biba label update for the interface, it may be an
1555 * update of the effective, range, or both.
1557 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1562 * Relabling network interfaces requires Biba privilege.
1564 error = biba_subject_privileged(subj);
1572 biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
1573 struct mbuf *m, struct label *mlabel)
1575 struct mac_biba *p, *i;
1583 return (biba_effective_in_range(p, i) ? 0 : EACCES);
1587 biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1588 struct mbuf *m, struct label *mlabel)
1590 struct mac_biba *p, *i;
1598 return (biba_equal_effective(p, i) ? 0 : EACCES);
1602 biba_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
1603 struct label *inplabel)
1605 struct mac_biba *subj, *obj;
1610 subj = SLOT(cred->cr_label);
1611 obj = SLOT(inplabel);
1613 if (!biba_dominate_effective(obj, subj))
1620 biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1621 struct label *msglabel)
1623 struct mac_biba *subj, *obj;
1628 subj = SLOT(cred->cr_label);
1629 obj = SLOT(msglabel);
1631 if (!biba_dominate_effective(obj, subj))
1638 biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1639 struct label *msglabel)
1641 struct mac_biba *subj, *obj;
1646 subj = SLOT(cred->cr_label);
1647 obj = SLOT(msglabel);
1649 if (!biba_dominate_effective(subj, obj))
1656 biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1657 struct label *msqklabel)
1659 struct mac_biba *subj, *obj;
1664 subj = SLOT(cred->cr_label);
1665 obj = SLOT(msqklabel);
1667 if (!biba_dominate_effective(obj, subj))
1674 biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1675 struct label *msqklabel)
1677 struct mac_biba *subj, *obj;
1682 subj = SLOT(cred->cr_label);
1683 obj = SLOT(msqklabel);
1685 if (!biba_dominate_effective(subj, obj))
1692 biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1693 struct label *msqklabel)
1695 struct mac_biba *subj, *obj;
1700 subj = SLOT(cred->cr_label);
1701 obj = SLOT(msqklabel);
1703 if (!biba_dominate_effective(obj, subj))
1710 biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1711 struct label *msqklabel, int cmd)
1713 struct mac_biba *subj, *obj;
1718 subj = SLOT(cred->cr_label);
1719 obj = SLOT(msqklabel);
1724 if (!biba_dominate_effective(subj, obj))
1729 if (!biba_dominate_effective(obj, subj))
1741 biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1742 struct label *semaklabel, int cmd)
1744 struct mac_biba *subj, *obj;
1749 subj = SLOT(cred->cr_label);
1750 obj = SLOT(semaklabel);
1757 if (!biba_dominate_effective(subj, obj))
1767 if (!biba_dominate_effective(obj, subj))
1779 biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1780 struct label *semaklabel)
1782 struct mac_biba *subj, *obj;
1787 subj = SLOT(cred->cr_label);
1788 obj = SLOT(semaklabel);
1790 if (!biba_dominate_effective(obj, subj))
1797 biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1798 struct label *semaklabel, size_t accesstype)
1800 struct mac_biba *subj, *obj;
1805 subj = SLOT(cred->cr_label);
1806 obj = SLOT(semaklabel);
1808 if (accesstype & SEM_R)
1809 if (!biba_dominate_effective(obj, subj))
1812 if (accesstype & SEM_A)
1813 if (!biba_dominate_effective(subj, obj))
1820 biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1821 struct label *shmseglabel, int shmflg)
1823 struct mac_biba *subj, *obj;
1828 subj = SLOT(cred->cr_label);
1829 obj = SLOT(shmseglabel);
1831 if (!biba_dominate_effective(obj, subj))
1833 if ((shmflg & SHM_RDONLY) == 0) {
1834 if (!biba_dominate_effective(subj, obj))
1842 biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1843 struct label *shmseglabel, int cmd)
1845 struct mac_biba *subj, *obj;
1850 subj = SLOT(cred->cr_label);
1851 obj = SLOT(shmseglabel);
1856 if (!biba_dominate_effective(subj, obj))
1862 if (!biba_dominate_effective(obj, subj))
1874 biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1875 struct label *shmseglabel, int shmflg)
1877 struct mac_biba *subj, *obj;
1882 subj = SLOT(cred->cr_label);
1883 obj = SLOT(shmseglabel);
1885 if (!biba_dominate_effective(obj, subj))
1892 biba_check_kld_load(struct ucred *cred, struct vnode *vp,
1893 struct label *vplabel)
1895 struct mac_biba *subj, *obj;
1901 subj = SLOT(cred->cr_label);
1903 error = biba_subject_privileged(subj);
1907 obj = SLOT(vplabel);
1908 if (!biba_high_effective(obj))
1915 biba_check_mount_stat(struct ucred *cred, struct mount *mp,
1916 struct label *mplabel)
1918 struct mac_biba *subj, *obj;
1923 subj = SLOT(cred->cr_label);
1924 obj = SLOT(mplabel);
1926 if (!biba_dominate_effective(obj, subj))
1933 biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1934 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
1940 /* XXX: This will be implemented soon... */
1946 biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1947 struct label *pplabel)
1949 struct mac_biba *subj, *obj;
1954 subj = SLOT(cred->cr_label);
1955 obj = SLOT(pplabel);
1957 if (!biba_dominate_effective(obj, subj))
1964 biba_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1965 struct label *pplabel)
1967 struct mac_biba *subj, *obj;
1972 subj = SLOT(cred->cr_label);
1973 obj = SLOT(pplabel);
1975 if (!biba_dominate_effective(obj, subj))
1982 biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1983 struct label *pplabel, struct label *newlabel)
1985 struct mac_biba *subj, *obj, *new;
1988 new = SLOT(newlabel);
1989 subj = SLOT(cred->cr_label);
1990 obj = SLOT(pplabel);
1993 * If there is a Biba label update for a pipe, it must be a effective
1996 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
2001 * To perform a relabel of a pipe (Biba label or not), Biba must
2002 * authorize the relabel.
2004 if (!biba_effective_in_range(obj, subj))
2008 * If the Biba label is to be changed, authorize as appropriate.
2010 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
2012 * To change the Biba label on a pipe, the new pipe label
2013 * must be in the subject range.
2015 if (!biba_effective_in_range(new, subj))
2019 * To change the Biba label on a pipe to be EQUAL, the
2020 * subject must have appropriate privilege.
2022 if (biba_contains_equal(new)) {
2023 error = biba_subject_privileged(subj);
2033 biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
2034 struct label *pplabel)
2036 struct mac_biba *subj, *obj;
2041 subj = SLOT(cred->cr_label);
2042 obj = SLOT(pplabel);
2044 if (!biba_dominate_effective(obj, subj))
2051 biba_check_pipe_write(struct ucred *cred, struct pipepair *pp,
2052 struct label *pplabel)
2054 struct mac_biba *subj, *obj;
2059 subj = SLOT(cred->cr_label);
2060 obj = SLOT(pplabel);
2062 if (!biba_dominate_effective(subj, obj))
2069 biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks,
2070 struct label *kslabel)
2072 struct mac_biba *subj, *obj;
2077 subj = SLOT(cred->cr_label);
2078 obj = SLOT(kslabel);
2080 if (!biba_dominate_effective(subj, obj))
2087 biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks,
2088 struct label *kslabel)
2090 struct mac_biba *subj, *obj;
2095 subj = SLOT(cred->cr_label);
2096 obj = SLOT(kslabel);
2098 if (!biba_dominate_effective(obj, subj))
2105 biba_check_proc_debug(struct ucred *cred, struct proc *p)
2107 struct mac_biba *subj, *obj;
2112 subj = SLOT(cred->cr_label);
2113 obj = SLOT(p->p_ucred->cr_label);
2115 /* XXX: range checks */
2116 if (!biba_dominate_effective(obj, subj))
2118 if (!biba_dominate_effective(subj, obj))
2125 biba_check_proc_sched(struct ucred *cred, struct proc *p)
2127 struct mac_biba *subj, *obj;
2132 subj = SLOT(cred->cr_label);
2133 obj = SLOT(p->p_ucred->cr_label);
2135 /* XXX: range checks */
2136 if (!biba_dominate_effective(obj, subj))
2138 if (!biba_dominate_effective(subj, obj))
2145 biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
2147 struct mac_biba *subj, *obj;
2152 subj = SLOT(cred->cr_label);
2153 obj = SLOT(p->p_ucred->cr_label);
2155 /* XXX: range checks */
2156 if (!biba_dominate_effective(obj, subj))
2158 if (!biba_dominate_effective(subj, obj))
2165 biba_check_socket_deliver(struct socket *so, struct label *solabel,
2166 struct mbuf *m, struct label *mlabel)
2168 struct mac_biba *p, *s;
2176 return (biba_equal_effective(p, s) ? 0 : EACCES);
2180 biba_check_socket_relabel(struct ucred *cred, struct socket *so,
2181 struct label *solabel, struct label *newlabel)
2183 struct mac_biba *subj, *obj, *new;
2186 new = SLOT(newlabel);
2187 subj = SLOT(cred->cr_label);
2188 obj = SLOT(solabel);
2191 * If there is a Biba label update for the socket, it may be an
2192 * update of effective.
2194 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
2199 * To relabel a socket, the old socket effective must be in the
2202 if (!biba_effective_in_range(obj, subj))
2206 * If the Biba label is to be changed, authorize as appropriate.
2208 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
2210 * To relabel a socket, the new socket effective must be in
2211 * the subject range.
2213 if (!biba_effective_in_range(new, subj))
2217 * To change the Biba label on the socket to contain EQUAL,
2218 * the subject must have appropriate privilege.
2220 if (biba_contains_equal(new)) {
2221 error = biba_subject_privileged(subj);
2231 biba_check_socket_visible(struct ucred *cred, struct socket *so,
2232 struct label *solabel)
2234 struct mac_biba *subj, *obj;
2239 subj = SLOT(cred->cr_label);
2240 obj = SLOT(solabel);
2242 if (!biba_dominate_effective(obj, subj))
2249 * Some system privileges are allowed regardless of integrity grade; others
2250 * are allowed only when running with privilege with respect to the Biba
2251 * policy as they might otherwise allow bypassing of the integrity policy.
2254 biba_priv_check(struct ucred *cred, int priv)
2256 struct mac_biba *subj;
2263 * Exempt only specific privileges from the Biba integrity policy.
2270 * Allow processes to manipulate basic process audit properties, and
2271 * to submit audit records.
2273 case PRIV_AUDIT_GETAUDIT:
2274 case PRIV_AUDIT_SETAUDIT:
2275 case PRIV_AUDIT_SUBMIT:
2278 * Allow processes to manipulate their regular UNIX credentials.
2280 case PRIV_CRED_SETUID:
2281 case PRIV_CRED_SETEUID:
2282 case PRIV_CRED_SETGID:
2283 case PRIV_CRED_SETEGID:
2284 case PRIV_CRED_SETGROUPS:
2285 case PRIV_CRED_SETREUID:
2286 case PRIV_CRED_SETREGID:
2287 case PRIV_CRED_SETRESUID:
2288 case PRIV_CRED_SETRESGID:
2291 * Allow processes to perform system monitoring.
2293 case PRIV_SEEOTHERGIDS:
2294 case PRIV_SEEOTHERUIDS:
2298 * Allow access to general process debugging facilities. We
2299 * separately control debugging based on MAC label.
2301 case PRIV_DEBUG_DIFFCRED:
2302 case PRIV_DEBUG_SUGID:
2303 case PRIV_DEBUG_UNPRIV:
2306 * Allow manipulating jails.
2308 case PRIV_JAIL_ATTACH:
2311 * Allow privilege with respect to the Partition policy, but not the
2314 case PRIV_MAC_PARTITION:
2317 * Allow privilege with respect to process resource limits and login
2320 case PRIV_PROC_LIMIT:
2321 case PRIV_PROC_SETLOGIN:
2322 case PRIV_PROC_SETRLIMIT:
2325 * Allow System V and POSIX IPC privileges.
2328 case PRIV_IPC_WRITE:
2329 case PRIV_IPC_ADMIN:
2330 case PRIV_IPC_MSGSIZE:
2334 * Allow certain scheduler manipulations -- possibly this should be
2335 * controlled by more fine-grained policy, as potentially low
2336 * integrity processes can deny CPU to higher integrity ones.
2338 case PRIV_SCHED_DIFFCRED:
2339 case PRIV_SCHED_SETPRIORITY:
2340 case PRIV_SCHED_RTPRIO:
2341 case PRIV_SCHED_SETPOLICY:
2342 case PRIV_SCHED_SET:
2343 case PRIV_SCHED_SETPARAM:
2346 * More IPC privileges.
2348 case PRIV_SEM_WRITE:
2351 * Allow signaling privileges subject to integrity policy.
2353 case PRIV_SIGNAL_DIFFCRED:
2354 case PRIV_SIGNAL_SUGID:
2357 * Allow access to only limited sysctls from lower integrity levels;
2358 * piggy-back on the Jail definition.
2360 case PRIV_SYSCTL_WRITEJAIL:
2363 * Allow TTY-based privileges, subject to general device access using
2364 * labels on TTY device nodes, but not console privilege.
2366 case PRIV_TTY_DRAINWAIT:
2367 case PRIV_TTY_DTRWAIT:
2368 case PRIV_TTY_EXCLUSIVE:
2369 case PRIV_TTY_PRISON:
2374 * Grant most VFS privileges, as almost all are in practice bounded
2375 * by more specific checks using labels.
2378 case PRIV_VFS_WRITE:
2379 case PRIV_VFS_ADMIN:
2381 case PRIV_VFS_LOOKUP:
2382 case PRIV_VFS_CHFLAGS_DEV:
2383 case PRIV_VFS_CHOWN:
2384 case PRIV_VFS_CHROOT:
2385 case PRIV_VFS_RETAINSUGID:
2386 case PRIV_VFS_EXCEEDQUOTA:
2387 case PRIV_VFS_FCHROOT:
2388 case PRIV_VFS_FHOPEN:
2389 case PRIV_VFS_FHSTATFS:
2390 case PRIV_VFS_GENERATION:
2391 case PRIV_VFS_GETFH:
2392 case PRIV_VFS_GETQUOTA:
2394 case PRIV_VFS_MOUNT:
2395 case PRIV_VFS_MOUNT_OWNER:
2396 case PRIV_VFS_MOUNT_PERM:
2397 case PRIV_VFS_MOUNT_SUIDDIR:
2398 case PRIV_VFS_MOUNT_NONUSER:
2399 case PRIV_VFS_SETGID:
2400 case PRIV_VFS_STICKYFILE:
2401 case PRIV_VFS_SYSFLAGS:
2402 case PRIV_VFS_UNMOUNT:
2405 * Allow VM privileges; it would be nice if these were subject to
2408 case PRIV_VM_MADV_PROTECT:
2410 case PRIV_VM_MUNLOCK:
2413 * Allow some but not all network privileges. In general, dont allow
2414 * reconfiguring the network stack, just normal use.
2416 case PRIV_NETATALK_RESERVEDPORT:
2417 case PRIV_NETINET_RESERVEDPORT:
2418 case PRIV_NETINET_RAW:
2419 case PRIV_NETINET_REUSEPORT:
2420 case PRIV_NETIPX_RESERVEDPORT:
2421 case PRIV_NETIPX_RAW:
2425 * All remaining system privileges are allow only if the process
2426 * holds privilege with respect to the Biba policy.
2429 subj = SLOT(cred->cr_label);
2430 error = biba_subject_privileged(subj);
2438 biba_check_system_acct(struct ucred *cred, struct vnode *vp,
2439 struct label *vplabel)
2441 struct mac_biba *subj, *obj;
2447 subj = SLOT(cred->cr_label);
2449 error = biba_subject_privileged(subj);
2453 if (vplabel == NULL)
2456 obj = SLOT(vplabel);
2457 if (!biba_high_effective(obj))
2464 biba_check_system_auditctl(struct ucred *cred, struct vnode *vp,
2465 struct label *vplabel)
2467 struct mac_biba *subj, *obj;
2473 subj = SLOT(cred->cr_label);
2475 error = biba_subject_privileged(subj);
2479 if (vplabel == NULL)
2482 obj = SLOT(vplabel);
2483 if (!biba_high_effective(obj))
2490 biba_check_system_auditon(struct ucred *cred, int cmd)
2492 struct mac_biba *subj;
2498 subj = SLOT(cred->cr_label);
2500 error = biba_subject_privileged(subj);
2508 biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
2509 struct label *vplabel)
2511 struct mac_biba *subj, *obj;
2517 subj = SLOT(cred->cr_label);
2518 obj = SLOT(vplabel);
2520 error = biba_subject_privileged(subj);
2524 if (!biba_high_effective(obj))
2531 biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2532 struct label *label)
2534 struct mac_biba *subj;
2540 subj = SLOT(cred->cr_label);
2542 error = biba_subject_privileged(subj);
2550 biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2551 void *arg1, int arg2, struct sysctl_req *req)
2553 struct mac_biba *subj;
2559 subj = SLOT(cred->cr_label);
2562 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
2563 * but also require privilege to change them.
2565 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
2566 if (!biba_subject_dominate_high(subj))
2569 error = biba_subject_privileged(subj);
2578 biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2579 struct label *dvplabel)
2581 struct mac_biba *subj, *obj;
2586 subj = SLOT(cred->cr_label);
2587 obj = SLOT(dvplabel);
2589 if (!biba_dominate_effective(obj, subj))
2596 biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2597 struct label *dvplabel)
2599 struct mac_biba *subj, *obj;
2604 subj = SLOT(cred->cr_label);
2605 obj = SLOT(dvplabel);
2607 if (!biba_dominate_effective(obj, subj))
2614 biba_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2615 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2617 struct mac_biba *subj, *obj;
2622 subj = SLOT(cred->cr_label);
2623 obj = SLOT(dvplabel);
2625 if (!biba_dominate_effective(subj, obj))
2632 biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2633 struct label *vplabel, acl_type_t type)
2635 struct mac_biba *subj, *obj;
2640 subj = SLOT(cred->cr_label);
2641 obj = SLOT(vplabel);
2643 if (!biba_dominate_effective(subj, obj))
2650 biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2651 struct label *vplabel, int attrnamespace, const char *name)
2653 struct mac_biba *subj, *obj;
2658 subj = SLOT(cred->cr_label);
2659 obj = SLOT(vplabel);
2661 if (!biba_dominate_effective(subj, obj))
2668 biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2669 struct label *vplabel, struct image_params *imgp,
2670 struct label *execlabel)
2672 struct mac_biba *subj, *obj, *exec;
2675 if (execlabel != NULL) {
2677 * We currently don't permit labels to be changed at
2678 * exec-time as part of Biba, so disallow non-NULL Biba label
2679 * elements in the execlabel.
2681 exec = SLOT(execlabel);
2682 error = biba_atmostflags(exec, 0);
2690 subj = SLOT(cred->cr_label);
2691 obj = SLOT(vplabel);
2693 if (!biba_dominate_effective(obj, subj))
2700 biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2701 struct label *vplabel, acl_type_t type)
2703 struct mac_biba *subj, *obj;
2708 subj = SLOT(cred->cr_label);
2709 obj = SLOT(vplabel);
2711 if (!biba_dominate_effective(obj, subj))
2718 biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2719 struct label *vplabel, int attrnamespace, const char *name,
2722 struct mac_biba *subj, *obj;
2727 subj = SLOT(cred->cr_label);
2728 obj = SLOT(vplabel);
2730 if (!biba_dominate_effective(obj, subj))
2737 biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2738 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2739 struct componentname *cnp)
2741 struct mac_biba *subj, *obj;
2746 subj = SLOT(cred->cr_label);
2747 obj = SLOT(dvplabel);
2749 if (!biba_dominate_effective(subj, obj))
2752 obj = SLOT(vplabel);
2754 if (!biba_dominate_effective(subj, obj))
2761 biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2762 struct label *vplabel, int attrnamespace)
2764 struct mac_biba *subj, *obj;
2769 subj = SLOT(cred->cr_label);
2770 obj = SLOT(vplabel);
2772 if (!biba_dominate_effective(obj, subj))
2779 biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2780 struct label *dvplabel, struct componentname *cnp)
2782 struct mac_biba *subj, *obj;
2787 subj = SLOT(cred->cr_label);
2788 obj = SLOT(dvplabel);
2790 if (!biba_dominate_effective(obj, subj))
2797 biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2798 struct label *vplabel, int prot, int flags)
2800 struct mac_biba *subj, *obj;
2803 * Rely on the use of open()-time protections to handle
2804 * non-revocation cases.
2806 if (!biba_enabled || !revocation_enabled)
2809 subj = SLOT(cred->cr_label);
2810 obj = SLOT(vplabel);
2812 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
2813 if (!biba_dominate_effective(obj, subj))
2816 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
2817 if (!biba_dominate_effective(subj, obj))
2825 biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
2826 struct label *vplabel, int acc_mode)
2828 struct mac_biba *subj, *obj;
2833 subj = SLOT(cred->cr_label);
2834 obj = SLOT(vplabel);
2836 /* XXX privilege override for admin? */
2837 if (acc_mode & (VREAD | VEXEC | VSTAT)) {
2838 if (!biba_dominate_effective(obj, subj))
2841 if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
2842 if (!biba_dominate_effective(subj, obj))
2850 biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2851 struct vnode *vp, struct label *vplabel)
2853 struct mac_biba *subj, *obj;
2855 if (!biba_enabled || !revocation_enabled)
2858 subj = SLOT(active_cred->cr_label);
2859 obj = SLOT(vplabel);
2861 if (!biba_dominate_effective(obj, subj))
2868 biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2869 struct vnode *vp, struct label *vplabel)
2871 struct mac_biba *subj, *obj;
2873 if (!biba_enabled || !revocation_enabled)
2876 subj = SLOT(active_cred->cr_label);
2877 obj = SLOT(vplabel);
2879 if (!biba_dominate_effective(obj, subj))
2886 biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2887 struct label *dvplabel)
2889 struct mac_biba *subj, *obj;
2894 subj = SLOT(cred->cr_label);
2895 obj = SLOT(dvplabel);
2897 if (!biba_dominate_effective(obj, subj))
2904 biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2905 struct label *vplabel)
2907 struct mac_biba *subj, *obj;
2912 subj = SLOT(cred->cr_label);
2913 obj = SLOT(vplabel);
2915 if (!biba_dominate_effective(obj, subj))
2922 biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2923 struct label *vplabel, struct label *newlabel)
2925 struct mac_biba *old, *new, *subj;
2928 old = SLOT(vplabel);
2929 new = SLOT(newlabel);
2930 subj = SLOT(cred->cr_label);
2933 * If there is a Biba label update for the vnode, it must be a
2936 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
2941 * To perform a relabel of the vnode (Biba label or not), Biba must
2942 * authorize the relabel.
2944 if (!biba_effective_in_range(old, subj))
2948 * If the Biba label is to be changed, authorize as appropriate.
2950 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
2952 * To change the Biba label on a vnode, the new vnode label
2953 * must be in the subject range.
2955 if (!biba_effective_in_range(new, subj))
2959 * To change the Biba label on the vnode to be EQUAL, the
2960 * subject must have appropriate privilege.
2962 if (biba_contains_equal(new)) {
2963 error = biba_subject_privileged(subj);
2973 biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2974 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2975 struct componentname *cnp)
2977 struct mac_biba *subj, *obj;
2982 subj = SLOT(cred->cr_label);
2983 obj = SLOT(dvplabel);
2985 if (!biba_dominate_effective(subj, obj))
2988 obj = SLOT(vplabel);
2990 if (!biba_dominate_effective(subj, obj))
2997 biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2998 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2999 int samedir, struct componentname *cnp)
3001 struct mac_biba *subj, *obj;
3006 subj = SLOT(cred->cr_label);
3007 obj = SLOT(dvplabel);
3009 if (!biba_dominate_effective(subj, obj))
3013 obj = SLOT(vplabel);
3015 if (!biba_dominate_effective(subj, obj))
3023 biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
3024 struct label *vplabel)
3026 struct mac_biba *subj, *obj;
3031 subj = SLOT(cred->cr_label);
3032 obj = SLOT(vplabel);
3034 if (!biba_dominate_effective(subj, obj))
3041 biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
3042 struct label *vplabel, acl_type_t type, struct acl *acl)
3044 struct mac_biba *subj, *obj;
3049 subj = SLOT(cred->cr_label);
3050 obj = SLOT(vplabel);
3052 if (!biba_dominate_effective(subj, obj))
3059 biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
3060 struct label *vplabel, int attrnamespace, const char *name,
3063 struct mac_biba *subj, *obj;
3068 subj = SLOT(cred->cr_label);
3069 obj = SLOT(vplabel);
3071 if (!biba_dominate_effective(subj, obj))
3074 /* XXX: protect the MAC EA in a special way? */
3080 biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
3081 struct label *vplabel, u_long flags)
3083 struct mac_biba *subj, *obj;
3088 subj = SLOT(cred->cr_label);
3089 obj = SLOT(vplabel);
3091 if (!biba_dominate_effective(subj, obj))
3098 biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
3099 struct label *vplabel, mode_t mode)
3101 struct mac_biba *subj, *obj;
3106 subj = SLOT(cred->cr_label);
3107 obj = SLOT(vplabel);
3109 if (!biba_dominate_effective(subj, obj))
3116 biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
3117 struct label *vplabel, uid_t uid, gid_t gid)
3119 struct mac_biba *subj, *obj;
3124 subj = SLOT(cred->cr_label);
3125 obj = SLOT(vplabel);
3127 if (!biba_dominate_effective(subj, obj))
3134 biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
3135 struct label *vplabel, struct timespec atime, struct timespec mtime)
3137 struct mac_biba *subj, *obj;
3142 subj = SLOT(cred->cr_label);
3143 obj = SLOT(vplabel);
3145 if (!biba_dominate_effective(subj, obj))
3152 biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
3153 struct vnode *vp, struct label *vplabel)
3155 struct mac_biba *subj, *obj;
3160 subj = SLOT(active_cred->cr_label);
3161 obj = SLOT(vplabel);
3163 if (!biba_dominate_effective(obj, subj))
3170 biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
3171 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3172 struct componentname *cnp)
3174 struct mac_biba *subj, *obj;
3179 subj = SLOT(cred->cr_label);
3180 obj = SLOT(dvplabel);
3182 if (!biba_dominate_effective(subj, obj))
3185 obj = SLOT(vplabel);
3187 if (!biba_dominate_effective(subj, obj))
3194 biba_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
3195 struct vnode *vp, struct label *vplabel)
3197 struct mac_biba *subj, *obj;
3199 if (!biba_enabled || !revocation_enabled)
3202 subj = SLOT(active_cred->cr_label);
3203 obj = SLOT(vplabel);
3205 if (!biba_dominate_effective(subj, obj))
3212 biba_associate_nfsd_label(struct ucred *cred)
3214 struct mac_biba *label;
3216 label = SLOT(cred->cr_label);
3217 biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
3218 biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
3223 biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
3225 struct mac_biba *source, *dest;
3227 source = SLOT(inp->inp_label);
3229 biba_copy_effective(source, dest);
3233 biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
3234 struct label *mlabel)
3236 struct mac_biba *source, *dest;
3238 source = SLOT(sc_label);
3239 dest = SLOT(mlabel);
3240 biba_copy_effective(source, dest);
3243 static struct mac_policy_ops mac_biba_ops =
3245 .mpo_init = biba_init,
3246 .mpo_init_bpfdesc_label = biba_init_label,
3247 .mpo_init_cred_label = biba_init_label,
3248 .mpo_init_devfs_label = biba_init_label,
3249 .mpo_init_ifnet_label = biba_init_label,
3250 .mpo_init_inpcb_label = biba_init_label_waitcheck,
3251 .mpo_init_syncache_label = biba_init_label_waitcheck,
3252 .mpo_init_sysv_msgmsg_label = biba_init_label,
3253 .mpo_init_sysv_msgqueue_label = biba_init_label,
3254 .mpo_init_sysv_sem_label = biba_init_label,
3255 .mpo_init_sysv_shm_label = biba_init_label,
3256 .mpo_init_ipq_label = biba_init_label_waitcheck,
3257 .mpo_init_mbuf_label = biba_init_label_waitcheck,
3258 .mpo_init_mount_label = biba_init_label,
3259 .mpo_init_pipe_label = biba_init_label,
3260 .mpo_init_posix_sem_label = biba_init_label,
3261 .mpo_init_socket_label = biba_init_label_waitcheck,
3262 .mpo_init_socket_peer_label = biba_init_label_waitcheck,
3263 .mpo_init_syncache_from_inpcb = biba_init_syncache_from_inpcb,
3264 .mpo_init_vnode_label = biba_init_label,
3265 .mpo_destroy_bpfdesc_label = biba_destroy_label,
3266 .mpo_destroy_cred_label = biba_destroy_label,
3267 .mpo_destroy_devfs_label = biba_destroy_label,
3268 .mpo_destroy_ifnet_label = biba_destroy_label,
3269 .mpo_destroy_inpcb_label = biba_destroy_label,
3270 .mpo_destroy_syncache_label = biba_destroy_label,
3271 .mpo_destroy_sysv_msgmsg_label = biba_destroy_label,
3272 .mpo_destroy_sysv_msgqueue_label = biba_destroy_label,
3273 .mpo_destroy_sysv_sem_label = biba_destroy_label,
3274 .mpo_destroy_sysv_shm_label = biba_destroy_label,
3275 .mpo_destroy_ipq_label = biba_destroy_label,
3276 .mpo_destroy_mbuf_label = biba_destroy_label,
3277 .mpo_destroy_mount_label = biba_destroy_label,
3278 .mpo_destroy_pipe_label = biba_destroy_label,
3279 .mpo_destroy_posix_sem_label = biba_destroy_label,
3280 .mpo_destroy_socket_label = biba_destroy_label,
3281 .mpo_destroy_socket_peer_label = biba_destroy_label,
3282 .mpo_destroy_vnode_label = biba_destroy_label,
3283 .mpo_copy_cred_label = biba_copy_label,
3284 .mpo_copy_ifnet_label = biba_copy_label,
3285 .mpo_copy_mbuf_label = biba_copy_label,
3286 .mpo_copy_pipe_label = biba_copy_label,
3287 .mpo_copy_socket_label = biba_copy_label,
3288 .mpo_copy_vnode_label = biba_copy_label,
3289 .mpo_externalize_cred_label = biba_externalize_label,
3290 .mpo_externalize_ifnet_label = biba_externalize_label,
3291 .mpo_externalize_pipe_label = biba_externalize_label,
3292 .mpo_externalize_socket_label = biba_externalize_label,
3293 .mpo_externalize_socket_peer_label = biba_externalize_label,
3294 .mpo_externalize_vnode_label = biba_externalize_label,
3295 .mpo_internalize_cred_label = biba_internalize_label,
3296 .mpo_internalize_ifnet_label = biba_internalize_label,
3297 .mpo_internalize_pipe_label = biba_internalize_label,
3298 .mpo_internalize_socket_label = biba_internalize_label,
3299 .mpo_internalize_vnode_label = biba_internalize_label,
3300 .mpo_create_devfs_device = biba_create_devfs_device,
3301 .mpo_create_devfs_directory = biba_create_devfs_directory,
3302 .mpo_create_devfs_symlink = biba_create_devfs_symlink,
3303 .mpo_create_mount = biba_create_mount,
3304 .mpo_relabel_vnode = biba_relabel_vnode,
3305 .mpo_update_devfs = biba_update_devfs,
3306 .mpo_associate_vnode_devfs = biba_associate_vnode_devfs,
3307 .mpo_associate_vnode_extattr = biba_associate_vnode_extattr,
3308 .mpo_associate_vnode_singlelabel = biba_associate_vnode_singlelabel,
3309 .mpo_create_vnode_extattr = biba_create_vnode_extattr,
3310 .mpo_setlabel_vnode_extattr = biba_setlabel_vnode_extattr,
3311 .mpo_create_mbuf_from_socket = biba_create_mbuf_from_socket,
3312 .mpo_create_mbuf_from_syncache = biba_create_mbuf_from_syncache,
3313 .mpo_create_pipe = biba_create_pipe,
3314 .mpo_create_posix_sem = biba_create_posix_sem,
3315 .mpo_create_socket = biba_create_socket,
3316 .mpo_create_socket_from_socket = biba_create_socket_from_socket,
3317 .mpo_relabel_pipe = biba_relabel_pipe,
3318 .mpo_relabel_socket = biba_relabel_socket,
3319 .mpo_set_socket_peer_from_mbuf = biba_set_socket_peer_from_mbuf,
3320 .mpo_set_socket_peer_from_socket = biba_set_socket_peer_from_socket,
3321 .mpo_create_bpfdesc = biba_create_bpfdesc,
3322 .mpo_create_datagram_from_ipq = biba_create_datagram_from_ipq,
3323 .mpo_create_fragment = biba_create_fragment,
3324 .mpo_create_ifnet = biba_create_ifnet,
3325 .mpo_create_inpcb_from_socket = biba_create_inpcb_from_socket,
3326 .mpo_create_sysv_msgmsg = biba_create_sysv_msgmsg,
3327 .mpo_create_sysv_msgqueue = biba_create_sysv_msgqueue,
3328 .mpo_create_sysv_sem = biba_create_sysv_sem,
3329 .mpo_create_sysv_shm = biba_create_sysv_shm,
3330 .mpo_create_ipq = biba_create_ipq,
3331 .mpo_create_mbuf_from_inpcb = biba_create_mbuf_from_inpcb,
3332 .mpo_create_mbuf_linklayer = biba_create_mbuf_linklayer,
3333 .mpo_create_mbuf_from_bpfdesc = biba_create_mbuf_from_bpfdesc,
3334 .mpo_create_mbuf_from_ifnet = biba_create_mbuf_from_ifnet,
3335 .mpo_create_mbuf_multicast_encap = biba_create_mbuf_multicast_encap,
3336 .mpo_create_mbuf_netlayer = biba_create_mbuf_netlayer,
3337 .mpo_fragment_match = biba_fragment_match,
3338 .mpo_relabel_ifnet = biba_relabel_ifnet,
3339 .mpo_update_ipq = biba_update_ipq,
3340 .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
3341 .mpo_create_proc0 = biba_create_proc0,
3342 .mpo_create_proc1 = biba_create_proc1,
3343 .mpo_relabel_cred = biba_relabel_cred,
3344 .mpo_cleanup_sysv_msgmsg = biba_cleanup_sysv_msgmsg,
3345 .mpo_cleanup_sysv_msgqueue = biba_cleanup_sysv_msgqueue,
3346 .mpo_cleanup_sysv_sem = biba_cleanup_sysv_sem,
3347 .mpo_cleanup_sysv_shm = biba_cleanup_sysv_shm,
3348 .mpo_check_bpfdesc_receive = biba_check_bpfdesc_receive,
3349 .mpo_check_cred_relabel = biba_check_cred_relabel,
3350 .mpo_check_cred_visible = biba_check_cred_visible,
3351 .mpo_check_ifnet_relabel = biba_check_ifnet_relabel,
3352 .mpo_check_ifnet_transmit = biba_check_ifnet_transmit,
3353 .mpo_check_inpcb_deliver = biba_check_inpcb_deliver,
3354 .mpo_check_inpcb_visible = biba_check_inpcb_visible,
3355 .mpo_check_sysv_msgrcv = biba_check_sysv_msgrcv,
3356 .mpo_check_sysv_msgrmid = biba_check_sysv_msgrmid,
3357 .mpo_check_sysv_msqget = biba_check_sysv_msqget,
3358 .mpo_check_sysv_msqsnd = biba_check_sysv_msqsnd,
3359 .mpo_check_sysv_msqrcv = biba_check_sysv_msqrcv,
3360 .mpo_check_sysv_msqctl = biba_check_sysv_msqctl,
3361 .mpo_check_sysv_semctl = biba_check_sysv_semctl,
3362 .mpo_check_sysv_semget = biba_check_sysv_semget,
3363 .mpo_check_sysv_semop = biba_check_sysv_semop,
3364 .mpo_check_sysv_shmat = biba_check_sysv_shmat,
3365 .mpo_check_sysv_shmctl = biba_check_sysv_shmctl,
3366 .mpo_check_sysv_shmget = biba_check_sysv_shmget,
3367 .mpo_check_kld_load = biba_check_kld_load,
3368 .mpo_check_mount_stat = biba_check_mount_stat,
3369 .mpo_check_pipe_ioctl = biba_check_pipe_ioctl,
3370 .mpo_check_pipe_poll = biba_check_pipe_poll,
3371 .mpo_check_pipe_read = biba_check_pipe_read,
3372 .mpo_check_pipe_relabel = biba_check_pipe_relabel,
3373 .mpo_check_pipe_stat = biba_check_pipe_stat,
3374 .mpo_check_pipe_write = biba_check_pipe_write,
3375 .mpo_check_posix_sem_destroy = biba_check_posix_sem_write,
3376 .mpo_check_posix_sem_getvalue = biba_check_posix_sem_rdonly,
3377 .mpo_check_posix_sem_open = biba_check_posix_sem_write,
3378 .mpo_check_posix_sem_post = biba_check_posix_sem_write,
3379 .mpo_check_posix_sem_unlink = biba_check_posix_sem_write,
3380 .mpo_check_posix_sem_wait = biba_check_posix_sem_write,
3381 .mpo_check_proc_debug = biba_check_proc_debug,
3382 .mpo_check_proc_sched = biba_check_proc_sched,
3383 .mpo_check_proc_signal = biba_check_proc_signal,
3384 .mpo_check_socket_deliver = biba_check_socket_deliver,
3385 .mpo_check_socket_relabel = biba_check_socket_relabel,
3386 .mpo_check_socket_visible = biba_check_socket_visible,
3387 .mpo_check_system_acct = biba_check_system_acct,
3388 .mpo_check_system_auditctl = biba_check_system_auditctl,
3389 .mpo_check_system_auditon = biba_check_system_auditon,
3390 .mpo_check_system_swapon = biba_check_system_swapon,
3391 .mpo_check_system_swapoff = biba_check_system_swapoff,
3392 .mpo_check_system_sysctl = biba_check_system_sysctl,
3393 .mpo_check_vnode_access = biba_check_vnode_open,
3394 .mpo_check_vnode_chdir = biba_check_vnode_chdir,
3395 .mpo_check_vnode_chroot = biba_check_vnode_chroot,
3396 .mpo_check_vnode_create = biba_check_vnode_create,
3397 .mpo_check_vnode_deleteacl = biba_check_vnode_deleteacl,
3398 .mpo_check_vnode_deleteextattr = biba_check_vnode_deleteextattr,
3399 .mpo_check_vnode_exec = biba_check_vnode_exec,
3400 .mpo_check_vnode_getacl = biba_check_vnode_getacl,
3401 .mpo_check_vnode_getextattr = biba_check_vnode_getextattr,
3402 .mpo_check_vnode_link = biba_check_vnode_link,
3403 .mpo_check_vnode_listextattr = biba_check_vnode_listextattr,
3404 .mpo_check_vnode_lookup = biba_check_vnode_lookup,
3405 .mpo_check_vnode_mmap = biba_check_vnode_mmap,
3406 .mpo_check_vnode_open = biba_check_vnode_open,
3407 .mpo_check_vnode_poll = biba_check_vnode_poll,
3408 .mpo_check_vnode_read = biba_check_vnode_read,
3409 .mpo_check_vnode_readdir = biba_check_vnode_readdir,
3410 .mpo_check_vnode_readlink = biba_check_vnode_readlink,
3411 .mpo_check_vnode_relabel = biba_check_vnode_relabel,
3412 .mpo_check_vnode_rename_from = biba_check_vnode_rename_from,
3413 .mpo_check_vnode_rename_to = biba_check_vnode_rename_to,
3414 .mpo_check_vnode_revoke = biba_check_vnode_revoke,
3415 .mpo_check_vnode_setacl = biba_check_vnode_setacl,
3416 .mpo_check_vnode_setextattr = biba_check_vnode_setextattr,
3417 .mpo_check_vnode_setflags = biba_check_vnode_setflags,
3418 .mpo_check_vnode_setmode = biba_check_vnode_setmode,
3419 .mpo_check_vnode_setowner = biba_check_vnode_setowner,
3420 .mpo_check_vnode_setutimes = biba_check_vnode_setutimes,
3421 .mpo_check_vnode_stat = biba_check_vnode_stat,
3422 .mpo_check_vnode_unlink = biba_check_vnode_unlink,
3423 .mpo_check_vnode_write = biba_check_vnode_write,
3424 .mpo_associate_nfsd_label = biba_associate_nfsd_label,
3425 .mpo_create_mbuf_from_firewall = biba_create_mbuf_from_firewall,
3426 .mpo_priv_check = biba_priv_check,
3429 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
3430 MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &biba_slot);