2 * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * Copyright (c) 2006 SPARTA, Inc.
7 * This software was developed by Robert Watson for the TrustedBSD Project.
9 * This software was developed for the FreeBSD Project in part by McAfee
10 * Research, the Security Research Division of McAfee, Inc. under
11 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
12 * CHATS research program.
14 * This software was enhanced by SPARTA ISSO under SPAWAR contract
15 * N66001-04-C-6019 ("SEFOS").
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * Developed by the TrustedBSD Project.
44 * Biba fixed label mandatory integrity policy.
47 #include <sys/param.h>
49 #include <sys/extattr.h>
50 #include <sys/kernel.h>
52 #include <sys/malloc.h>
54 #include <sys/mount.h>
58 #include <sys/systm.h>
59 #include <sys/sysproto.h>
60 #include <sys/sysent.h>
61 #include <sys/systm.h>
62 #include <sys/vnode.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
68 #include <sys/sysctl.h>
73 #include <fs/devfs/devfs.h>
75 #include <net/bpfdesc.h>
77 #include <net/if_types.h>
78 #include <net/if_var.h>
80 #include <netinet/in.h>
81 #include <netinet/in_pcb.h>
82 #include <netinet/ip_var.h>
87 #include <security/mac/mac_policy.h>
88 #include <security/mac_biba/mac_biba.h>
90 SYSCTL_DECL(_security_mac);
92 SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
93 "TrustedBSD mac_biba policy controls");
95 static int biba_label_size = sizeof(struct mac_biba);
96 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
97 &biba_label_size, 0, "Size of struct mac_biba");
99 static int biba_enabled = 1;
100 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &biba_enabled,
101 0, "Enforce MAC/Biba policy");
102 TUNABLE_INT("security.mac.biba.enabled", &biba_enabled);
104 static int destroyed_not_inited;
105 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
106 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
108 static int trust_all_interfaces = 0;
109 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
110 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
111 TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
113 static char trusted_interfaces[128];
114 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
115 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
116 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
117 sizeof(trusted_interfaces));
119 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
120 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
121 &max_compartments, 0, "Maximum supported compartments");
123 static int ptys_equal = 0;
124 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal,
125 0, "Label pty devices as biba/equal on create");
126 TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
128 static int interfaces_equal = 1;
129 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW,
130 &interfaces_equal, 0, "Label network interfaces as biba/equal on create");
131 TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal);
133 static int revocation_enabled = 0;
134 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
135 &revocation_enabled, 0, "Revoke access to objects on relabel");
136 TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
138 static int biba_slot;
139 #define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot))
140 #define SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val))
142 static uma_zone_t zone_biba;
145 biba_bit_set_empty(u_char *set) {
148 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
154 static struct mac_biba *
158 return (uma_zalloc(zone_biba, flag | M_ZERO));
162 biba_free(struct mac_biba *mb)
166 uma_zfree(zone_biba, mb);
168 atomic_add_int(&destroyed_not_inited, 1);
172 biba_atmostflags(struct mac_biba *mb, int flags)
175 if ((mb->mb_flags & flags) != mb->mb_flags)
181 biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b)
185 switch (a->mbe_type) {
186 case MAC_BIBA_TYPE_EQUAL:
187 case MAC_BIBA_TYPE_HIGH:
190 case MAC_BIBA_TYPE_LOW:
191 switch (b->mbe_type) {
192 case MAC_BIBA_TYPE_GRADE:
193 case MAC_BIBA_TYPE_HIGH:
196 case MAC_BIBA_TYPE_EQUAL:
197 case MAC_BIBA_TYPE_LOW:
201 panic("biba_dominate_element: b->mbe_type invalid");
204 case MAC_BIBA_TYPE_GRADE:
205 switch (b->mbe_type) {
206 case MAC_BIBA_TYPE_EQUAL:
207 case MAC_BIBA_TYPE_LOW:
210 case MAC_BIBA_TYPE_HIGH:
213 case MAC_BIBA_TYPE_GRADE:
214 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
215 if (!MAC_BIBA_BIT_TEST(bit,
216 a->mbe_compartments) &&
217 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
219 return (a->mbe_grade >= b->mbe_grade);
222 panic("biba_dominate_element: b->mbe_type invalid");
226 panic("biba_dominate_element: a->mbe_type invalid");
233 biba_subject_dominate_high(struct mac_biba *mb)
235 struct mac_biba_element *element;
237 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
238 ("biba_effective_in_range: mb not effective"));
239 element = &mb->mb_effective;
241 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
242 element->mbe_type == MAC_BIBA_TYPE_HIGH);
246 biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
249 return (biba_dominate_element(&rangeb->mb_rangehigh,
250 &rangea->mb_rangehigh) &&
251 biba_dominate_element(&rangea->mb_rangelow,
252 &rangeb->mb_rangelow));
256 biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range)
259 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
260 ("biba_effective_in_range: a not effective"));
261 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
262 ("biba_effective_in_range: b not range"));
264 return (biba_dominate_element(&range->mb_rangehigh,
265 &effective->mb_effective) &&
266 biba_dominate_element(&effective->mb_effective,
267 &range->mb_rangelow));
273 biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
275 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
276 ("biba_dominate_effective: a not effective"));
277 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
278 ("biba_dominate_effective: b not effective"));
280 return (biba_dominate_element(&a->mb_effective, &b->mb_effective));
284 biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
287 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
288 b->mbe_type == MAC_BIBA_TYPE_EQUAL)
291 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
295 biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
298 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
299 ("biba_equal_effective: a not effective"));
300 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
301 ("biba_equal_effective: b not effective"));
303 return (biba_equal_element(&a->mb_effective, &b->mb_effective));
307 biba_contains_equal(struct mac_biba *mb)
310 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
311 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
315 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
316 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
318 if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
326 biba_subject_privileged(struct mac_biba *mb)
329 KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH,
330 ("biba_subject_privileged: subject doesn't have both labels"));
332 /* If the effective is EQUAL, it's ok. */
333 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
336 /* If either range endpoint is EQUAL, it's ok. */
337 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
338 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
341 /* If the range is low-high, it's ok. */
342 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
343 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
351 biba_high_effective(struct mac_biba *mb)
354 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
355 ("biba_equal_effective: mb not effective"));
357 return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
361 biba_valid(struct mac_biba *mb)
364 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
365 switch (mb->mb_effective.mbe_type) {
366 case MAC_BIBA_TYPE_GRADE:
369 case MAC_BIBA_TYPE_EQUAL:
370 case MAC_BIBA_TYPE_HIGH:
371 case MAC_BIBA_TYPE_LOW:
372 if (mb->mb_effective.mbe_grade != 0 ||
373 !MAC_BIBA_BIT_SET_EMPTY(
374 mb->mb_effective.mbe_compartments))
382 if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
386 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
387 switch (mb->mb_rangelow.mbe_type) {
388 case MAC_BIBA_TYPE_GRADE:
391 case MAC_BIBA_TYPE_EQUAL:
392 case MAC_BIBA_TYPE_HIGH:
393 case MAC_BIBA_TYPE_LOW:
394 if (mb->mb_rangelow.mbe_grade != 0 ||
395 !MAC_BIBA_BIT_SET_EMPTY(
396 mb->mb_rangelow.mbe_compartments))
404 switch (mb->mb_rangehigh.mbe_type) {
405 case MAC_BIBA_TYPE_GRADE:
408 case MAC_BIBA_TYPE_EQUAL:
409 case MAC_BIBA_TYPE_HIGH:
410 case MAC_BIBA_TYPE_LOW:
411 if (mb->mb_rangehigh.mbe_grade != 0 ||
412 !MAC_BIBA_BIT_SET_EMPTY(
413 mb->mb_rangehigh.mbe_compartments))
420 if (!biba_dominate_element(&mb->mb_rangehigh,
424 if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
425 mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
433 biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow,
434 u_char *compartmentslow, u_short typehigh, u_short gradehigh,
435 u_char *compartmentshigh)
438 mb->mb_rangelow.mbe_type = typelow;
439 mb->mb_rangelow.mbe_grade = gradelow;
440 if (compartmentslow != NULL)
441 memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow,
442 sizeof(mb->mb_rangelow.mbe_compartments));
443 mb->mb_rangehigh.mbe_type = typehigh;
444 mb->mb_rangehigh.mbe_grade = gradehigh;
445 if (compartmentshigh != NULL)
446 memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh,
447 sizeof(mb->mb_rangehigh.mbe_compartments));
448 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
452 biba_set_effective(struct mac_biba *mb, u_short type, u_short grade,
453 u_char *compartments)
456 mb->mb_effective.mbe_type = type;
457 mb->mb_effective.mbe_grade = grade;
458 if (compartments != NULL)
459 memcpy(mb->mb_effective.mbe_compartments, compartments,
460 sizeof(mb->mb_effective.mbe_compartments));
461 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
465 biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
468 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
469 ("biba_copy_range: labelfrom not range"));
471 labelto->mb_rangelow = labelfrom->mb_rangelow;
472 labelto->mb_rangehigh = labelfrom->mb_rangehigh;
473 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
477 biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
480 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
481 ("biba_copy_effective: labelfrom not effective"));
483 labelto->mb_effective = labelfrom->mb_effective;
484 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
488 biba_copy(struct mac_biba *source, struct mac_biba *dest)
491 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
492 biba_copy_effective(source, dest);
493 if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
494 biba_copy_range(source, dest);
498 * Policy module operations.
501 biba_init(struct mac_policy_conf *conf)
504 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL,
505 NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
512 biba_init_label(struct label *label)
515 SLOT_SET(label, biba_alloc(M_WAITOK));
519 biba_init_label_waitcheck(struct label *label, int flag)
522 SLOT_SET(label, biba_alloc(flag));
523 if (SLOT(label) == NULL)
530 biba_destroy_label(struct label *label)
533 biba_free(SLOT(label));
534 SLOT_SET(label, NULL);
538 * biba_element_to_string() accepts an sbuf and Biba element. It converts
539 * the Biba element to a string and stores the result in the sbuf; if there
540 * isn't space in the sbuf, -1 is returned.
543 biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element)
547 switch (element->mbe_type) {
548 case MAC_BIBA_TYPE_HIGH:
549 return (sbuf_printf(sb, "high"));
551 case MAC_BIBA_TYPE_LOW:
552 return (sbuf_printf(sb, "low"));
554 case MAC_BIBA_TYPE_EQUAL:
555 return (sbuf_printf(sb, "equal"));
557 case MAC_BIBA_TYPE_GRADE:
558 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1)
562 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) {
563 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) {
565 if (sbuf_putc(sb, ':') == -1)
567 if (sbuf_printf(sb, "%d", i) == -1)
571 if (sbuf_printf(sb, "+%d", i) == -1)
579 panic("biba_element_to_string: invalid type (%d)",
585 * biba_to_string() converts a Biba label to a string, and places the results
586 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
587 * room in the sbuf. Note: the sbuf will be modified even in a failure case,
588 * so the caller may need to revert the sbuf by restoring the offset if
592 biba_to_string(struct sbuf *sb, struct mac_biba *mb)
595 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
596 if (biba_element_to_string(sb, &mb->mb_effective) == -1)
600 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
601 if (sbuf_putc(sb, '(') == -1)
604 if (biba_element_to_string(sb, &mb->mb_rangelow) == -1)
607 if (sbuf_putc(sb, '-') == -1)
610 if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1)
613 if (sbuf_putc(sb, ')') == -1)
621 biba_externalize_label(struct label *label, char *element_name,
622 struct sbuf *sb, int *claimed)
626 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
632 return (biba_to_string(sb, mb));
636 biba_parse_element(struct mac_biba_element *element, char *string)
638 char *compartment, *end, *grade;
641 if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
642 element->mbe_type = MAC_BIBA_TYPE_HIGH;
643 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
644 } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
645 element->mbe_type = MAC_BIBA_TYPE_LOW;
646 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
647 } else if (strcmp(string, "equal") == 0 ||
648 strcmp(string, "eq") == 0) {
649 element->mbe_type = MAC_BIBA_TYPE_EQUAL;
650 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
652 element->mbe_type = MAC_BIBA_TYPE_GRADE;
655 * Numeric grade piece of the element.
657 grade = strsep(&string, ":");
658 value = strtol(grade, &end, 10);
659 if (end == grade || *end != '\0')
661 if (value < 0 || value > 65535)
663 element->mbe_grade = value;
666 * Optional compartment piece of the element. If none are
667 * included, we assume that the label has no compartments.
674 while ((compartment = strsep(&string, "+")) != NULL) {
675 value = strtol(compartment, &end, 10);
676 if (compartment == end || *end != '\0')
678 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS)
680 MAC_BIBA_BIT_SET(value, element->mbe_compartments);
688 * Note: destructively consumes the string, make a local copy before calling
689 * if that's a problem.
692 biba_parse(struct mac_biba *mb, char *string)
694 char *rangehigh, *rangelow, *effective;
697 effective = strsep(&string, "(");
698 if (*effective == '\0')
701 if (string != NULL) {
702 rangelow = strsep(&string, "-");
705 rangehigh = strsep(&string, ")");
715 KASSERT((rangelow != NULL && rangehigh != NULL) ||
716 (rangelow == NULL && rangehigh == NULL),
717 ("biba_parse: range mismatch"));
719 bzero(mb, sizeof(*mb));
720 if (effective != NULL) {
721 error = biba_parse_element(&mb->mb_effective, effective);
724 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
727 if (rangelow != NULL) {
728 error = biba_parse_element(&mb->mb_rangelow, rangelow);
731 error = biba_parse_element(&mb->mb_rangehigh, rangehigh);
734 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
737 error = biba_valid(mb);
745 biba_internalize_label(struct label *label, char *element_name,
746 char *element_data, int *claimed)
748 struct mac_biba *mb, mb_temp;
751 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
756 error = biba_parse(&mb_temp, element_data);
767 biba_copy_label(struct label *src, struct label *dest)
770 *SLOT(dest) = *SLOT(src);
774 * Object-specific entry point implementations are sorted alphabetically by
775 * object type name and then by operation.
778 biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
779 struct ifnet *ifp, struct label *ifplabel)
781 struct mac_biba *a, *b;
789 if (biba_equal_effective(a, b))
795 biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
796 struct label *dlabel)
798 struct mac_biba *source, *dest;
800 source = SLOT(cred->cr_label);
803 biba_copy_effective(source, dest);
807 biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
808 struct mbuf *m, struct label *mlabel)
810 struct mac_biba *source, *dest;
812 source = SLOT(dlabel);
815 biba_copy_effective(source, dest);
819 biba_cred_associate_nfsd(struct ucred *cred)
821 struct mac_biba *label;
823 label = SLOT(cred->cr_label);
824 biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
825 biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
830 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
832 struct mac_biba *subj, *new;
835 subj = SLOT(cred->cr_label);
836 new = SLOT(newlabel);
839 * If there is a Biba label update for the credential, it may
840 * be an update of the effective, range, or both.
842 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
847 * If the Biba label is to be changed, authorize as appropriate.
849 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
851 * If the change request modifies both the Biba label
852 * effective and range, check that the new effective will be
855 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
856 MAC_BIBA_FLAGS_BOTH &&
857 !biba_effective_in_range(new, new))
861 * To change the Biba effective label on a credential, the
862 * new effective label must be in the current range.
864 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
865 !biba_effective_in_range(new, subj))
869 * To change the Biba range on a credential, the new range
870 * label must be in the current range.
872 if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
873 !biba_range_in_range(new, subj))
877 * To have EQUAL in any component of the new credential Biba
878 * label, the subject must already have EQUAL in their label.
880 if (biba_contains_equal(new)) {
881 error = biba_subject_privileged(subj);
891 biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
893 struct mac_biba *subj, *obj;
898 subj = SLOT(u1->cr_label);
899 obj = SLOT(u2->cr_label);
902 if (!biba_dominate_effective(obj, subj))
909 biba_cred_create_init(struct ucred *cred)
911 struct mac_biba *dest;
913 dest = SLOT(cred->cr_label);
915 biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
916 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
921 biba_cred_create_swapper(struct ucred *cred)
923 struct mac_biba *dest;
925 dest = SLOT(cred->cr_label);
927 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
928 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
933 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
935 struct mac_biba *source, *dest;
937 source = SLOT(newlabel);
938 dest = SLOT(cred->cr_label);
940 biba_copy(source, dest);
944 biba_devfs_create_device(struct ucred *cred, struct mount *mp,
945 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
951 if (strcmp(dev->si_name, "null") == 0 ||
952 strcmp(dev->si_name, "zero") == 0 ||
953 strcmp(dev->si_name, "random") == 0 ||
954 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
955 biba_type = MAC_BIBA_TYPE_EQUAL;
956 else if (ptys_equal &&
957 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
958 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
959 biba_type = MAC_BIBA_TYPE_EQUAL;
961 biba_type = MAC_BIBA_TYPE_HIGH;
962 biba_set_effective(mb, biba_type, 0, NULL);
966 biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
967 struct devfs_dirent *de, struct label *delabel)
973 biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
977 biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
978 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
979 struct label *delabel)
981 struct mac_biba *source, *dest;
983 source = SLOT(cred->cr_label);
984 dest = SLOT(delabel);
986 biba_copy_effective(source, dest);
990 biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
991 struct label *delabel, struct vnode *vp, struct label *vplabel)
993 struct mac_biba *source, *dest;
995 source = SLOT(vplabel);
996 dest = SLOT(delabel);
998 biba_copy(source, dest);
1002 biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
1003 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
1004 struct label *vplabel)
1006 struct mac_biba *source, *dest;
1008 source = SLOT(delabel);
1009 dest = SLOT(vplabel);
1011 biba_copy_effective(source, dest);
1015 biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
1016 struct label *ifplabel, struct label *newlabel)
1018 struct mac_biba *subj, *new;
1021 subj = SLOT(cred->cr_label);
1022 new = SLOT(newlabel);
1025 * If there is a Biba label update for the interface, it may be an
1026 * update of the effective, range, or both.
1028 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1033 * Relabling network interfaces requires Biba privilege.
1035 error = biba_subject_privileged(subj);
1043 biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
1044 struct mbuf *m, struct label *mlabel)
1046 struct mac_biba *p, *i;
1054 return (biba_effective_in_range(p, i) ? 0 : EACCES);
1058 biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
1060 char tifname[IFNAMSIZ], *p, *q;
1061 char tiflist[sizeof(trusted_interfaces)];
1062 struct mac_biba *dest;
1065 dest = SLOT(ifplabel);
1067 if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
1068 type = MAC_BIBA_TYPE_EQUAL;
1072 if (trust_all_interfaces) {
1073 type = MAC_BIBA_TYPE_HIGH;
1077 type = MAC_BIBA_TYPE_LOW;
1079 if (trusted_interfaces[0] == '\0' ||
1080 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
1083 bzero(tiflist, sizeof(tiflist));
1084 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
1085 if(*p != ' ' && *p != '\t')
1088 for (p = q = tiflist;; p++) {
1089 if (*p == ',' || *p == '\0') {
1091 if (len < IFNAMSIZ) {
1092 bzero(tifname, sizeof(tifname));
1093 bcopy(q, tifname, len);
1094 if (strcmp(tifname, ifp->if_xname) == 0) {
1095 type = MAC_BIBA_TYPE_HIGH;
1100 printf("mac_biba warning: interface name "
1101 "\"%s\" is too long (must be < %d)\n",
1110 biba_set_effective(dest, type, 0, NULL);
1111 biba_set_range(dest, type, 0, NULL, type, 0, NULL);
1115 biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
1116 struct mbuf *m, struct label *mlabel)
1118 struct mac_biba *source, *dest;
1120 source = SLOT(ifplabel);
1121 dest = SLOT(mlabel);
1123 biba_copy_effective(source, dest);
1127 biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1128 struct label *ifplabel, struct label *newlabel)
1130 struct mac_biba *source, *dest;
1132 source = SLOT(newlabel);
1133 dest = SLOT(ifplabel);
1135 biba_copy(source, dest);
1139 biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
1140 struct mbuf *m, struct label *mlabel)
1142 struct mac_biba *p, *i;
1150 return (biba_equal_effective(p, i) ? 0 : EACCES);
1154 biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
1155 struct label *inplabel)
1157 struct mac_biba *subj, *obj;
1162 subj = SLOT(cred->cr_label);
1163 obj = SLOT(inplabel);
1165 if (!biba_dominate_effective(obj, subj))
1172 biba_inpcb_create(struct socket *so, struct label *solabel,
1173 struct inpcb *inp, struct label *inplabel)
1175 struct mac_biba *source, *dest;
1177 source = SLOT(solabel);
1178 dest = SLOT(inplabel);
1181 biba_copy_effective(source, dest);
1186 biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
1187 struct mbuf *m, struct label *mlabel)
1189 struct mac_biba *source, *dest;
1191 source = SLOT(inplabel);
1192 dest = SLOT(mlabel);
1194 biba_copy_effective(source, dest);
1198 biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1199 struct inpcb *inp, struct label *inplabel)
1201 struct mac_biba *source, *dest;
1203 SOCK_LOCK_ASSERT(so);
1205 source = SLOT(solabel);
1206 dest = SLOT(inplabel);
1208 biba_copy(source, dest);
1212 biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1213 struct label *q6label)
1215 struct mac_biba *source, *dest;
1217 source = SLOT(mlabel);
1218 dest = SLOT(q6label);
1220 biba_copy_effective(source, dest);
1224 biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1225 struct label *q6label)
1227 struct mac_biba *a, *b;
1232 return (biba_equal_effective(a, b));
1236 biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
1237 struct label *mlabel)
1239 struct mac_biba *source, *dest;
1241 source = SLOT(q6label);
1242 dest = SLOT(mlabel);
1244 /* Just use the head, since we require them all to match. */
1245 biba_copy_effective(source, dest);
1249 biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1250 struct label *q6label)
1253 /* NOOP: we only accept matching labels, so no need to update */
1257 biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
1258 struct label *qlabel)
1260 struct mac_biba *source, *dest;
1262 source = SLOT(mlabel);
1263 dest = SLOT(qlabel);
1265 biba_copy_effective(source, dest);
1269 biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
1270 struct label *qlabel)
1272 struct mac_biba *a, *b;
1277 return (biba_equal_effective(a, b));
1281 biba_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
1282 struct label *mlabel)
1284 struct mac_biba *source, *dest;
1286 source = SLOT(qlabel);
1287 dest = SLOT(mlabel);
1289 /* Just use the head, since we require them all to match. */
1290 biba_copy_effective(source, dest);
1294 biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
1295 struct label *qlabel)
1298 /* NOOP: we only accept matching labels, so no need to update */
1302 biba_kld_check_load(struct ucred *cred, struct vnode *vp,
1303 struct label *vplabel)
1305 struct mac_biba *subj, *obj;
1311 subj = SLOT(cred->cr_label);
1313 error = biba_subject_privileged(subj);
1317 obj = SLOT(vplabel);
1318 if (!biba_high_effective(obj))
1325 biba_mount_check_stat(struct ucred *cred, struct mount *mp,
1326 struct label *mplabel)
1328 struct mac_biba *subj, *obj;
1333 subj = SLOT(cred->cr_label);
1334 obj = SLOT(mplabel);
1336 if (!biba_dominate_effective(obj, subj))
1343 biba_mount_create(struct ucred *cred, struct mount *mp,
1344 struct label *mplabel)
1346 struct mac_biba *source, *dest;
1348 source = SLOT(cred->cr_label);
1349 dest = SLOT(mplabel);
1351 biba_copy_effective(source, dest);
1355 biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
1356 struct mbuf *m, struct label *mlabel)
1358 struct mac_biba *dest;
1360 dest = SLOT(mlabel);
1362 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1366 biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
1367 struct mbuf *m, struct label *mlabel)
1369 struct mac_biba *dest;
1371 dest = SLOT(mlabel);
1373 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1377 biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1378 struct mbuf *msend, struct label *msendlabel)
1380 struct mac_biba *source, *dest;
1382 source = SLOT(mrecvlabel);
1383 dest = SLOT(msendlabel);
1385 biba_copy_effective(source, dest);
1389 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
1391 struct mac_biba *dest;
1393 dest = SLOT(mlabel);
1395 /* XXX: where is the label for the firewall really coming from? */
1396 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1400 biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
1401 struct mbuf *frag, struct label *fraglabel)
1403 struct mac_biba *source, *dest;
1405 source = SLOT(mlabel);
1406 dest = SLOT(fraglabel);
1408 biba_copy_effective(source, dest);
1412 biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1413 struct mbuf *msend, struct label *msendlabel)
1415 struct mac_biba *source, *dest;
1417 source = SLOT(mrecvlabel);
1418 dest = SLOT(msendlabel);
1420 biba_copy_effective(source, dest);
1424 biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
1425 struct mbuf *m, struct label *mlabel)
1427 struct mac_biba *dest;
1429 dest = SLOT(mlabel);
1431 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1435 biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
1436 struct mbuf *m, struct label *mlabel)
1438 struct mac_biba *dest;
1440 dest = SLOT(mlabel);
1442 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1446 biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1447 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
1453 /* XXX: This will be implemented soon... */
1459 biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1460 struct label *pplabel)
1462 struct mac_biba *subj, *obj;
1467 subj = SLOT(cred->cr_label);
1468 obj = SLOT(pplabel);
1470 if (!biba_dominate_effective(obj, subj))
1477 biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1478 struct label *pplabel)
1480 struct mac_biba *subj, *obj;
1485 subj = SLOT(cred->cr_label);
1486 obj = SLOT(pplabel);
1488 if (!biba_dominate_effective(obj, subj))
1495 biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1496 struct label *pplabel, struct label *newlabel)
1498 struct mac_biba *subj, *obj, *new;
1501 new = SLOT(newlabel);
1502 subj = SLOT(cred->cr_label);
1503 obj = SLOT(pplabel);
1506 * If there is a Biba label update for a pipe, it must be a effective
1509 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
1514 * To perform a relabel of a pipe (Biba label or not), Biba must
1515 * authorize the relabel.
1517 if (!biba_effective_in_range(obj, subj))
1521 * If the Biba label is to be changed, authorize as appropriate.
1523 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
1525 * To change the Biba label on a pipe, the new pipe label
1526 * must be in the subject range.
1528 if (!biba_effective_in_range(new, subj))
1532 * To change the Biba label on a pipe to be EQUAL, the
1533 * subject must have appropriate privilege.
1535 if (biba_contains_equal(new)) {
1536 error = biba_subject_privileged(subj);
1546 biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1547 struct label *pplabel)
1549 struct mac_biba *subj, *obj;
1554 subj = SLOT(cred->cr_label);
1555 obj = SLOT(pplabel);
1557 if (!biba_dominate_effective(obj, subj))
1564 biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1565 struct label *pplabel)
1567 struct mac_biba *subj, *obj;
1572 subj = SLOT(cred->cr_label);
1573 obj = SLOT(pplabel);
1575 if (!biba_dominate_effective(subj, obj))
1582 biba_pipe_create(struct ucred *cred, struct pipepair *pp,
1583 struct label *pplabel)
1585 struct mac_biba *source, *dest;
1587 source = SLOT(cred->cr_label);
1588 dest = SLOT(pplabel);
1590 biba_copy_effective(source, dest);
1594 biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1595 struct label *pplabel, struct label *newlabel)
1597 struct mac_biba *source, *dest;
1599 source = SLOT(newlabel);
1600 dest = SLOT(pplabel);
1602 biba_copy(source, dest);
1606 biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
1607 struct label *kslabel)
1609 struct mac_biba *subj, *obj;
1614 subj = SLOT(cred->cr_label);
1615 obj = SLOT(kslabel);
1617 if (!biba_dominate_effective(subj, obj))
1624 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
1625 struct ksem *ks, struct label *kslabel)
1627 struct mac_biba *subj, *obj;
1632 subj = SLOT(active_cred->cr_label);
1633 obj = SLOT(kslabel);
1635 if (!biba_dominate_effective(subj, obj))
1642 biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
1643 struct ksem *ks, struct label *kslabel)
1645 struct mac_biba *subj, *obj;
1650 subj = SLOT(active_cred->cr_label);
1651 obj = SLOT(kslabel);
1653 if (!biba_dominate_effective(obj, subj))
1660 biba_posixsem_create(struct ucred *cred, struct ksem *ks,
1661 struct label *kslabel)
1663 struct mac_biba *source, *dest;
1665 source = SLOT(cred->cr_label);
1666 dest = SLOT(kslabel);
1668 biba_copy_effective(source, dest);
1672 * Some system privileges are allowed regardless of integrity grade; others
1673 * are allowed only when running with privilege with respect to the Biba
1674 * policy as they might otherwise allow bypassing of the integrity policy.
1677 biba_priv_check(struct ucred *cred, int priv)
1679 struct mac_biba *subj;
1686 * Exempt only specific privileges from the Biba integrity policy.
1693 * Allow processes to manipulate basic process audit properties, and
1694 * to submit audit records.
1696 case PRIV_AUDIT_GETAUDIT:
1697 case PRIV_AUDIT_SETAUDIT:
1698 case PRIV_AUDIT_SUBMIT:
1701 * Allow processes to manipulate their regular UNIX credentials.
1703 case PRIV_CRED_SETUID:
1704 case PRIV_CRED_SETEUID:
1705 case PRIV_CRED_SETGID:
1706 case PRIV_CRED_SETEGID:
1707 case PRIV_CRED_SETGROUPS:
1708 case PRIV_CRED_SETREUID:
1709 case PRIV_CRED_SETREGID:
1710 case PRIV_CRED_SETRESUID:
1711 case PRIV_CRED_SETRESGID:
1714 * Allow processes to perform system monitoring.
1716 case PRIV_SEEOTHERGIDS:
1717 case PRIV_SEEOTHERUIDS:
1721 * Allow access to general process debugging facilities. We
1722 * separately control debugging based on MAC label.
1724 case PRIV_DEBUG_DIFFCRED:
1725 case PRIV_DEBUG_SUGID:
1726 case PRIV_DEBUG_UNPRIV:
1729 * Allow manipulating jails.
1731 case PRIV_JAIL_ATTACH:
1734 * Allow privilege with respect to the Partition policy, but not the
1737 case PRIV_MAC_PARTITION:
1740 * Allow privilege with respect to process resource limits and login
1743 case PRIV_PROC_LIMIT:
1744 case PRIV_PROC_SETLOGIN:
1745 case PRIV_PROC_SETRLIMIT:
1748 * Allow System V and POSIX IPC privileges.
1751 case PRIV_IPC_WRITE:
1752 case PRIV_IPC_ADMIN:
1753 case PRIV_IPC_MSGSIZE:
1757 * Allow certain scheduler manipulations -- possibly this should be
1758 * controlled by more fine-grained policy, as potentially low
1759 * integrity processes can deny CPU to higher integrity ones.
1761 case PRIV_SCHED_DIFFCRED:
1762 case PRIV_SCHED_SETPRIORITY:
1763 case PRIV_SCHED_RTPRIO:
1764 case PRIV_SCHED_SETPOLICY:
1765 case PRIV_SCHED_SET:
1766 case PRIV_SCHED_SETPARAM:
1769 * More IPC privileges.
1771 case PRIV_SEM_WRITE:
1774 * Allow signaling privileges subject to integrity policy.
1776 case PRIV_SIGNAL_DIFFCRED:
1777 case PRIV_SIGNAL_SUGID:
1780 * Allow access to only limited sysctls from lower integrity levels;
1781 * piggy-back on the Jail definition.
1783 case PRIV_SYSCTL_WRITEJAIL:
1786 * Allow TTY-based privileges, subject to general device access using
1787 * labels on TTY device nodes, but not console privilege.
1789 case PRIV_TTY_DRAINWAIT:
1790 case PRIV_TTY_DTRWAIT:
1791 case PRIV_TTY_EXCLUSIVE:
1796 * Grant most VFS privileges, as almost all are in practice bounded
1797 * by more specific checks using labels.
1800 case PRIV_VFS_WRITE:
1801 case PRIV_VFS_ADMIN:
1803 case PRIV_VFS_LOOKUP:
1804 case PRIV_VFS_CHFLAGS_DEV:
1805 case PRIV_VFS_CHOWN:
1806 case PRIV_VFS_CHROOT:
1807 case PRIV_VFS_RETAINSUGID:
1808 case PRIV_VFS_EXCEEDQUOTA:
1809 case PRIV_VFS_FCHROOT:
1810 case PRIV_VFS_FHOPEN:
1811 case PRIV_VFS_FHSTATFS:
1812 case PRIV_VFS_GENERATION:
1813 case PRIV_VFS_GETFH:
1814 case PRIV_VFS_GETQUOTA:
1816 case PRIV_VFS_MOUNT:
1817 case PRIV_VFS_MOUNT_OWNER:
1818 case PRIV_VFS_MOUNT_PERM:
1819 case PRIV_VFS_MOUNT_SUIDDIR:
1820 case PRIV_VFS_MOUNT_NONUSER:
1821 case PRIV_VFS_SETGID:
1822 case PRIV_VFS_STICKYFILE:
1823 case PRIV_VFS_SYSFLAGS:
1824 case PRIV_VFS_UNMOUNT:
1827 * Allow VM privileges; it would be nice if these were subject to
1830 case PRIV_VM_MADV_PROTECT:
1832 case PRIV_VM_MUNLOCK:
1833 case PRIV_VM_SWAP_NOQUOTA:
1834 case PRIV_VM_SWAP_NORLIMIT:
1837 * Allow some but not all network privileges. In general, dont allow
1838 * reconfiguring the network stack, just normal use.
1840 case PRIV_NETATALK_RESERVEDPORT:
1841 case PRIV_NETINET_RESERVEDPORT:
1842 case PRIV_NETINET_RAW:
1843 case PRIV_NETINET_REUSEPORT:
1844 case PRIV_NETIPX_RESERVEDPORT:
1845 case PRIV_NETIPX_RAW:
1849 * All remaining system privileges are allow only if the process
1850 * holds privilege with respect to the Biba policy.
1853 subj = SLOT(cred->cr_label);
1854 error = biba_subject_privileged(subj);
1862 biba_proc_check_debug(struct ucred *cred, struct proc *p)
1864 struct mac_biba *subj, *obj;
1869 subj = SLOT(cred->cr_label);
1870 obj = SLOT(p->p_ucred->cr_label);
1872 /* XXX: range checks */
1873 if (!biba_dominate_effective(obj, subj))
1875 if (!biba_dominate_effective(subj, obj))
1882 biba_proc_check_sched(struct ucred *cred, struct proc *p)
1884 struct mac_biba *subj, *obj;
1889 subj = SLOT(cred->cr_label);
1890 obj = SLOT(p->p_ucred->cr_label);
1892 /* XXX: range checks */
1893 if (!biba_dominate_effective(obj, subj))
1895 if (!biba_dominate_effective(subj, obj))
1902 biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
1904 struct mac_biba *subj, *obj;
1909 subj = SLOT(cred->cr_label);
1910 obj = SLOT(p->p_ucred->cr_label);
1912 /* XXX: range checks */
1913 if (!biba_dominate_effective(obj, subj))
1915 if (!biba_dominate_effective(subj, obj))
1922 biba_socket_check_deliver(struct socket *so, struct label *solabel,
1923 struct mbuf *m, struct label *mlabel)
1925 struct mac_biba *p, *s;
1935 error = biba_equal_effective(p, s) ? 0 : EACCES;
1941 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
1942 struct label *solabel, struct label *newlabel)
1944 struct mac_biba *subj, *obj, *new;
1947 SOCK_LOCK_ASSERT(so);
1949 new = SLOT(newlabel);
1950 subj = SLOT(cred->cr_label);
1951 obj = SLOT(solabel);
1954 * If there is a Biba label update for the socket, it may be an
1955 * update of effective.
1957 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
1962 * To relabel a socket, the old socket effective must be in the
1965 if (!biba_effective_in_range(obj, subj))
1969 * If the Biba label is to be changed, authorize as appropriate.
1971 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
1973 * To relabel a socket, the new socket effective must be in
1974 * the subject range.
1976 if (!biba_effective_in_range(new, subj))
1980 * To change the Biba label on the socket to contain EQUAL,
1981 * the subject must have appropriate privilege.
1983 if (biba_contains_equal(new)) {
1984 error = biba_subject_privileged(subj);
1994 biba_socket_check_visible(struct ucred *cred, struct socket *so,
1995 struct label *solabel)
1997 struct mac_biba *subj, *obj;
2002 subj = SLOT(cred->cr_label);
2003 obj = SLOT(solabel);
2006 if (!biba_dominate_effective(obj, subj)) {
2016 biba_socket_create(struct ucred *cred, struct socket *so,
2017 struct label *solabel)
2019 struct mac_biba *source, *dest;
2021 source = SLOT(cred->cr_label);
2022 dest = SLOT(solabel);
2024 biba_copy_effective(source, dest);
2028 biba_socket_create_mbuf(struct socket *so, struct label *solabel,
2029 struct mbuf *m, struct label *mlabel)
2031 struct mac_biba *source, *dest;
2033 source = SLOT(solabel);
2034 dest = SLOT(mlabel);
2037 biba_copy_effective(source, dest);
2042 biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
2043 struct socket *newso, struct label *newsolabel)
2045 struct mac_biba source, *dest;
2048 source = *SLOT(oldsolabel);
2051 dest = SLOT(newsolabel);
2054 biba_copy_effective(&source, dest);
2059 biba_socket_relabel(struct ucred *cred, struct socket *so,
2060 struct label *solabel, struct label *newlabel)
2062 struct mac_biba *source, *dest;
2064 SOCK_LOCK_ASSERT(so);
2066 source = SLOT(newlabel);
2067 dest = SLOT(solabel);
2069 biba_copy(source, dest);
2073 biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
2074 struct socket *so, struct label *sopeerlabel)
2076 struct mac_biba *source, *dest;
2078 source = SLOT(mlabel);
2079 dest = SLOT(sopeerlabel);
2082 biba_copy_effective(source, dest);
2087 biba_socketpeer_set_from_socket(struct socket *oldso,
2088 struct label *oldsolabel, struct socket *newso,
2089 struct label *newsopeerlabel)
2091 struct mac_biba source, *dest;
2094 source = *SLOT(oldsolabel);
2096 dest = SLOT(newsopeerlabel);
2099 biba_copy_effective(&source, dest);
2104 biba_syncache_create(struct label *label, struct inpcb *inp)
2106 struct mac_biba *source, *dest;
2108 source = SLOT(inp->inp_label);
2110 biba_copy_effective(source, dest);
2114 biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
2115 struct label *mlabel)
2117 struct mac_biba *source, *dest;
2119 source = SLOT(sc_label);
2120 dest = SLOT(mlabel);
2121 biba_copy_effective(source, dest);
2125 biba_system_check_acct(struct ucred *cred, struct vnode *vp,
2126 struct label *vplabel)
2128 struct mac_biba *subj, *obj;
2134 subj = SLOT(cred->cr_label);
2136 error = biba_subject_privileged(subj);
2140 if (vplabel == NULL)
2143 obj = SLOT(vplabel);
2144 if (!biba_high_effective(obj))
2151 biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2152 struct label *vplabel)
2154 struct mac_biba *subj, *obj;
2160 subj = SLOT(cred->cr_label);
2162 error = biba_subject_privileged(subj);
2166 if (vplabel == NULL)
2169 obj = SLOT(vplabel);
2170 if (!biba_high_effective(obj))
2177 biba_system_check_auditon(struct ucred *cred, int cmd)
2179 struct mac_biba *subj;
2185 subj = SLOT(cred->cr_label);
2187 error = biba_subject_privileged(subj);
2195 biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
2196 struct label *label)
2198 struct mac_biba *subj;
2204 subj = SLOT(cred->cr_label);
2206 error = biba_subject_privileged(subj);
2214 biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
2215 struct label *vplabel)
2217 struct mac_biba *subj, *obj;
2223 subj = SLOT(cred->cr_label);
2224 obj = SLOT(vplabel);
2226 error = biba_subject_privileged(subj);
2230 if (!biba_high_effective(obj))
2237 biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2238 void *arg1, int arg2, struct sysctl_req *req)
2240 struct mac_biba *subj;
2246 subj = SLOT(cred->cr_label);
2249 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
2250 * but also require privilege to change them.
2252 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
2253 if (!biba_subject_dominate_high(subj))
2256 error = biba_subject_privileged(subj);
2265 biba_sysvmsg_cleanup(struct label *msglabel)
2268 bzero(SLOT(msglabel), sizeof(struct mac_biba));
2272 biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2273 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
2275 struct mac_biba *source, *dest;
2277 /* Ignore the msgq label */
2278 source = SLOT(cred->cr_label);
2279 dest = SLOT(msglabel);
2281 biba_copy_effective(source, dest);
2285 biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
2286 struct label *msglabel)
2288 struct mac_biba *subj, *obj;
2293 subj = SLOT(cred->cr_label);
2294 obj = SLOT(msglabel);
2296 if (!biba_dominate_effective(obj, subj))
2303 biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
2304 struct label *msglabel)
2306 struct mac_biba *subj, *obj;
2311 subj = SLOT(cred->cr_label);
2312 obj = SLOT(msglabel);
2314 if (!biba_dominate_effective(subj, obj))
2321 biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
2322 struct label *msqklabel)
2324 struct mac_biba *subj, *obj;
2329 subj = SLOT(cred->cr_label);
2330 obj = SLOT(msqklabel);
2332 if (!biba_dominate_effective(obj, subj))
2339 biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
2340 struct label *msqklabel)
2342 struct mac_biba *subj, *obj;
2347 subj = SLOT(cred->cr_label);
2348 obj = SLOT(msqklabel);
2350 if (!biba_dominate_effective(subj, obj))
2357 biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
2358 struct label *msqklabel)
2360 struct mac_biba *subj, *obj;
2365 subj = SLOT(cred->cr_label);
2366 obj = SLOT(msqklabel);
2368 if (!biba_dominate_effective(obj, subj))
2375 biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
2376 struct label *msqklabel, int cmd)
2378 struct mac_biba *subj, *obj;
2383 subj = SLOT(cred->cr_label);
2384 obj = SLOT(msqklabel);
2389 if (!biba_dominate_effective(subj, obj))
2394 if (!biba_dominate_effective(obj, subj))
2406 biba_sysvmsq_cleanup(struct label *msqlabel)
2409 bzero(SLOT(msqlabel), sizeof(struct mac_biba));
2413 biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2414 struct label *msqlabel)
2416 struct mac_biba *source, *dest;
2418 source = SLOT(cred->cr_label);
2419 dest = SLOT(msqlabel);
2421 biba_copy_effective(source, dest);
2425 biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
2426 struct label *semaklabel, int cmd)
2428 struct mac_biba *subj, *obj;
2433 subj = SLOT(cred->cr_label);
2434 obj = SLOT(semaklabel);
2441 if (!biba_dominate_effective(subj, obj))
2451 if (!biba_dominate_effective(obj, subj))
2463 biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
2464 struct label *semaklabel)
2466 struct mac_biba *subj, *obj;
2471 subj = SLOT(cred->cr_label);
2472 obj = SLOT(semaklabel);
2474 if (!biba_dominate_effective(obj, subj))
2481 biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
2482 struct label *semaklabel, size_t accesstype)
2484 struct mac_biba *subj, *obj;
2489 subj = SLOT(cred->cr_label);
2490 obj = SLOT(semaklabel);
2492 if (accesstype & SEM_R)
2493 if (!biba_dominate_effective(obj, subj))
2496 if (accesstype & SEM_A)
2497 if (!biba_dominate_effective(subj, obj))
2504 biba_sysvsem_cleanup(struct label *semalabel)
2507 bzero(SLOT(semalabel), sizeof(struct mac_biba));
2511 biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
2512 struct label *semalabel)
2514 struct mac_biba *source, *dest;
2516 source = SLOT(cred->cr_label);
2517 dest = SLOT(semalabel);
2519 biba_copy_effective(source, dest);
2523 biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
2524 struct label *shmseglabel, int shmflg)
2526 struct mac_biba *subj, *obj;
2531 subj = SLOT(cred->cr_label);
2532 obj = SLOT(shmseglabel);
2534 if (!biba_dominate_effective(obj, subj))
2536 if ((shmflg & SHM_RDONLY) == 0) {
2537 if (!biba_dominate_effective(subj, obj))
2545 biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
2546 struct label *shmseglabel, int cmd)
2548 struct mac_biba *subj, *obj;
2553 subj = SLOT(cred->cr_label);
2554 obj = SLOT(shmseglabel);
2559 if (!biba_dominate_effective(subj, obj))
2565 if (!biba_dominate_effective(obj, subj))
2577 biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
2578 struct label *shmseglabel, int shmflg)
2580 struct mac_biba *subj, *obj;
2585 subj = SLOT(cred->cr_label);
2586 obj = SLOT(shmseglabel);
2588 if (!biba_dominate_effective(obj, subj))
2595 biba_sysvshm_cleanup(struct label *shmlabel)
2598 bzero(SLOT(shmlabel), sizeof(struct mac_biba));
2602 biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
2603 struct label *shmlabel)
2605 struct mac_biba *source, *dest;
2607 source = SLOT(cred->cr_label);
2608 dest = SLOT(shmlabel);
2610 biba_copy_effective(source, dest);
2614 biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
2615 struct vnode *vp, struct label *vplabel)
2617 struct mac_biba mb_temp, *source, *dest;
2620 source = SLOT(mplabel);
2621 dest = SLOT(vplabel);
2623 buflen = sizeof(mb_temp);
2624 bzero(&mb_temp, buflen);
2626 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
2627 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
2628 if (error == ENOATTR || error == EOPNOTSUPP) {
2629 /* Fall back to the mntlabel. */
2630 biba_copy_effective(source, dest);
2635 if (buflen != sizeof(mb_temp)) {
2636 printf("biba_vnode_associate_extattr: bad size %d\n",
2640 if (biba_valid(&mb_temp) != 0) {
2641 printf("biba_vnode_associate_extattr: invalid\n");
2644 if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
2645 MAC_BIBA_FLAG_EFFECTIVE) {
2646 printf("biba_vnode_associate_extattr: not effective\n");
2650 biba_copy_effective(&mb_temp, dest);
2655 biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
2656 struct vnode *vp, struct label *vplabel)
2658 struct mac_biba *source, *dest;
2660 source = SLOT(mplabel);
2661 dest = SLOT(vplabel);
2663 biba_copy_effective(source, dest);
2667 biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2668 struct label *dvplabel)
2670 struct mac_biba *subj, *obj;
2675 subj = SLOT(cred->cr_label);
2676 obj = SLOT(dvplabel);
2678 if (!biba_dominate_effective(obj, subj))
2685 biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2686 struct label *dvplabel)
2688 struct mac_biba *subj, *obj;
2693 subj = SLOT(cred->cr_label);
2694 obj = SLOT(dvplabel);
2696 if (!biba_dominate_effective(obj, subj))
2703 biba_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2704 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2706 struct mac_biba *subj, *obj;
2711 subj = SLOT(cred->cr_label);
2712 obj = SLOT(dvplabel);
2714 if (!biba_dominate_effective(subj, obj))
2721 biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2722 struct label *vplabel, acl_type_t type)
2724 struct mac_biba *subj, *obj;
2729 subj = SLOT(cred->cr_label);
2730 obj = SLOT(vplabel);
2732 if (!biba_dominate_effective(subj, obj))
2739 biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2740 struct label *vplabel, int attrnamespace, const char *name)
2742 struct mac_biba *subj, *obj;
2747 subj = SLOT(cred->cr_label);
2748 obj = SLOT(vplabel);
2750 if (!biba_dominate_effective(subj, obj))
2757 biba_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2758 struct label *vplabel, struct image_params *imgp,
2759 struct label *execlabel)
2761 struct mac_biba *subj, *obj, *exec;
2764 if (execlabel != NULL) {
2766 * We currently don't permit labels to be changed at
2767 * exec-time as part of Biba, so disallow non-NULL Biba label
2768 * elements in the execlabel.
2770 exec = SLOT(execlabel);
2771 error = biba_atmostflags(exec, 0);
2779 subj = SLOT(cred->cr_label);
2780 obj = SLOT(vplabel);
2782 if (!biba_dominate_effective(obj, subj))
2789 biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2790 struct label *vplabel, acl_type_t type)
2792 struct mac_biba *subj, *obj;
2797 subj = SLOT(cred->cr_label);
2798 obj = SLOT(vplabel);
2800 if (!biba_dominate_effective(obj, subj))
2807 biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
2808 struct label *vplabel, int attrnamespace, const char *name)
2810 struct mac_biba *subj, *obj;
2815 subj = SLOT(cred->cr_label);
2816 obj = SLOT(vplabel);
2818 if (!biba_dominate_effective(obj, subj))
2825 biba_vnode_check_link(struct ucred *cred, struct vnode *dvp,
2826 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2827 struct componentname *cnp)
2829 struct mac_biba *subj, *obj;
2834 subj = SLOT(cred->cr_label);
2835 obj = SLOT(dvplabel);
2837 if (!biba_dominate_effective(subj, obj))
2840 obj = SLOT(vplabel);
2842 if (!biba_dominate_effective(subj, obj))
2849 biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
2850 struct label *vplabel, int attrnamespace)
2852 struct mac_biba *subj, *obj;
2857 subj = SLOT(cred->cr_label);
2858 obj = SLOT(vplabel);
2860 if (!biba_dominate_effective(obj, subj))
2867 biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
2868 struct label *dvplabel, struct componentname *cnp)
2870 struct mac_biba *subj, *obj;
2875 subj = SLOT(cred->cr_label);
2876 obj = SLOT(dvplabel);
2878 if (!biba_dominate_effective(obj, subj))
2885 biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
2886 struct label *vplabel, int prot, int flags)
2888 struct mac_biba *subj, *obj;
2891 * Rely on the use of open()-time protections to handle
2892 * non-revocation cases.
2894 if (!biba_enabled || !revocation_enabled)
2897 subj = SLOT(cred->cr_label);
2898 obj = SLOT(vplabel);
2900 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
2901 if (!biba_dominate_effective(obj, subj))
2904 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
2905 if (!biba_dominate_effective(subj, obj))
2913 biba_vnode_check_open(struct ucred *cred, struct vnode *vp,
2914 struct label *vplabel, accmode_t accmode)
2916 struct mac_biba *subj, *obj;
2921 subj = SLOT(cred->cr_label);
2922 obj = SLOT(vplabel);
2924 /* XXX privilege override for admin? */
2925 if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
2926 if (!biba_dominate_effective(obj, subj))
2929 if (accmode & VMODIFY_PERMS) {
2930 if (!biba_dominate_effective(subj, obj))
2938 biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
2939 struct vnode *vp, struct label *vplabel)
2941 struct mac_biba *subj, *obj;
2943 if (!biba_enabled || !revocation_enabled)
2946 subj = SLOT(active_cred->cr_label);
2947 obj = SLOT(vplabel);
2949 if (!biba_dominate_effective(obj, subj))
2956 biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
2957 struct vnode *vp, struct label *vplabel)
2959 struct mac_biba *subj, *obj;
2961 if (!biba_enabled || !revocation_enabled)
2964 subj = SLOT(active_cred->cr_label);
2965 obj = SLOT(vplabel);
2967 if (!biba_dominate_effective(obj, subj))
2974 biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
2975 struct label *dvplabel)
2977 struct mac_biba *subj, *obj;
2982 subj = SLOT(cred->cr_label);
2983 obj = SLOT(dvplabel);
2985 if (!biba_dominate_effective(obj, subj))
2992 biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
2993 struct label *vplabel)
2995 struct mac_biba *subj, *obj;
3000 subj = SLOT(cred->cr_label);
3001 obj = SLOT(vplabel);
3003 if (!biba_dominate_effective(obj, subj))
3010 biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
3011 struct label *vplabel, struct label *newlabel)
3013 struct mac_biba *old, *new, *subj;
3016 old = SLOT(vplabel);
3017 new = SLOT(newlabel);
3018 subj = SLOT(cred->cr_label);
3021 * If there is a Biba label update for the vnode, it must be a
3024 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
3029 * To perform a relabel of the vnode (Biba label or not), Biba must
3030 * authorize the relabel.
3032 if (!biba_effective_in_range(old, subj))
3036 * If the Biba label is to be changed, authorize as appropriate.
3038 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
3040 * To change the Biba label on a vnode, the new vnode label
3041 * must be in the subject range.
3043 if (!biba_effective_in_range(new, subj))
3047 * To change the Biba label on the vnode to be EQUAL, the
3048 * subject must have appropriate privilege.
3050 if (biba_contains_equal(new)) {
3051 error = biba_subject_privileged(subj);
3061 biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
3062 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3063 struct componentname *cnp)
3065 struct mac_biba *subj, *obj;
3070 subj = SLOT(cred->cr_label);
3071 obj = SLOT(dvplabel);
3073 if (!biba_dominate_effective(subj, obj))
3076 obj = SLOT(vplabel);
3078 if (!biba_dominate_effective(subj, obj))
3085 biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
3086 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3087 int samedir, struct componentname *cnp)
3089 struct mac_biba *subj, *obj;
3094 subj = SLOT(cred->cr_label);
3095 obj = SLOT(dvplabel);
3097 if (!biba_dominate_effective(subj, obj))
3101 obj = SLOT(vplabel);
3103 if (!biba_dominate_effective(subj, obj))
3111 biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
3112 struct label *vplabel)
3114 struct mac_biba *subj, *obj;
3119 subj = SLOT(cred->cr_label);
3120 obj = SLOT(vplabel);
3122 if (!biba_dominate_effective(subj, obj))
3129 biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
3130 struct label *vplabel, acl_type_t type, struct acl *acl)
3132 struct mac_biba *subj, *obj;
3137 subj = SLOT(cred->cr_label);
3138 obj = SLOT(vplabel);
3140 if (!biba_dominate_effective(subj, obj))
3147 biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
3148 struct label *vplabel, int attrnamespace, const char *name)
3150 struct mac_biba *subj, *obj;
3155 subj = SLOT(cred->cr_label);
3156 obj = SLOT(vplabel);
3158 if (!biba_dominate_effective(subj, obj))
3161 /* XXX: protect the MAC EA in a special way? */
3167 biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
3168 struct label *vplabel, u_long flags)
3170 struct mac_biba *subj, *obj;
3175 subj = SLOT(cred->cr_label);
3176 obj = SLOT(vplabel);
3178 if (!biba_dominate_effective(subj, obj))
3185 biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
3186 struct label *vplabel, mode_t mode)
3188 struct mac_biba *subj, *obj;
3193 subj = SLOT(cred->cr_label);
3194 obj = SLOT(vplabel);
3196 if (!biba_dominate_effective(subj, obj))
3203 biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
3204 struct label *vplabel, uid_t uid, gid_t gid)
3206 struct mac_biba *subj, *obj;
3211 subj = SLOT(cred->cr_label);
3212 obj = SLOT(vplabel);
3214 if (!biba_dominate_effective(subj, obj))
3221 biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
3222 struct label *vplabel, struct timespec atime, struct timespec mtime)
3224 struct mac_biba *subj, *obj;
3229 subj = SLOT(cred->cr_label);
3230 obj = SLOT(vplabel);
3232 if (!biba_dominate_effective(subj, obj))
3239 biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
3240 struct vnode *vp, struct label *vplabel)
3242 struct mac_biba *subj, *obj;
3247 subj = SLOT(active_cred->cr_label);
3248 obj = SLOT(vplabel);
3250 if (!biba_dominate_effective(obj, subj))
3257 biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
3258 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3259 struct componentname *cnp)
3261 struct mac_biba *subj, *obj;
3266 subj = SLOT(cred->cr_label);
3267 obj = SLOT(dvplabel);
3269 if (!biba_dominate_effective(subj, obj))
3272 obj = SLOT(vplabel);
3274 if (!biba_dominate_effective(subj, obj))
3281 biba_vnode_check_write(struct ucred *active_cred,
3282 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
3284 struct mac_biba *subj, *obj;
3286 if (!biba_enabled || !revocation_enabled)
3289 subj = SLOT(active_cred->cr_label);
3290 obj = SLOT(vplabel);
3292 if (!biba_dominate_effective(subj, obj))
3299 biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
3300 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
3301 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
3303 struct mac_biba *source, *dest, mb_temp;
3307 buflen = sizeof(mb_temp);
3308 bzero(&mb_temp, buflen);
3310 source = SLOT(cred->cr_label);
3311 dest = SLOT(vplabel);
3312 biba_copy_effective(source, &mb_temp);
3314 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3315 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3317 biba_copy_effective(source, dest);
3322 biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
3323 struct label *vplabel, struct label *newlabel)
3325 struct mac_biba *source, *dest;
3327 source = SLOT(newlabel);
3328 dest = SLOT(vplabel);
3330 biba_copy(source, dest);
3334 biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
3335 struct label *vplabel, struct label *intlabel)
3337 struct mac_biba *source, mb_temp;
3341 buflen = sizeof(mb_temp);
3342 bzero(&mb_temp, buflen);
3344 source = SLOT(intlabel);
3345 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
3348 biba_copy_effective(source, &mb_temp);
3350 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3351 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3355 static struct mac_policy_ops mac_biba_ops =
3357 .mpo_init = biba_init,
3359 .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
3360 .mpo_bpfdesc_create = biba_bpfdesc_create,
3361 .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
3362 .mpo_bpfdesc_destroy_label = biba_destroy_label,
3363 .mpo_bpfdesc_init_label = biba_init_label,
3365 .mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
3366 .mpo_cred_check_relabel = biba_cred_check_relabel,
3367 .mpo_cred_check_visible = biba_cred_check_visible,
3368 .mpo_cred_copy_label = biba_copy_label,
3369 .mpo_cred_create_init = biba_cred_create_init,
3370 .mpo_cred_create_swapper = biba_cred_create_swapper,
3371 .mpo_cred_destroy_label = biba_destroy_label,
3372 .mpo_cred_externalize_label = biba_externalize_label,
3373 .mpo_cred_init_label = biba_init_label,
3374 .mpo_cred_internalize_label = biba_internalize_label,
3375 .mpo_cred_relabel = biba_cred_relabel,
3377 .mpo_devfs_create_device = biba_devfs_create_device,
3378 .mpo_devfs_create_directory = biba_devfs_create_directory,
3379 .mpo_devfs_create_symlink = biba_devfs_create_symlink,
3380 .mpo_devfs_destroy_label = biba_destroy_label,
3381 .mpo_devfs_init_label = biba_init_label,
3382 .mpo_devfs_update = biba_devfs_update,
3383 .mpo_devfs_vnode_associate = biba_devfs_vnode_associate,
3385 .mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
3386 .mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
3387 .mpo_ifnet_copy_label = biba_copy_label,
3388 .mpo_ifnet_create = biba_ifnet_create,
3389 .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
3390 .mpo_ifnet_destroy_label = biba_destroy_label,
3391 .mpo_ifnet_externalize_label = biba_externalize_label,
3392 .mpo_ifnet_init_label = biba_init_label,
3393 .mpo_ifnet_internalize_label = biba_internalize_label,
3394 .mpo_ifnet_relabel = biba_ifnet_relabel,
3396 .mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
3397 .mpo_inpcb_check_visible = biba_inpcb_check_visible,
3398 .mpo_inpcb_create = biba_inpcb_create,
3399 .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
3400 .mpo_inpcb_destroy_label = biba_destroy_label,
3401 .mpo_inpcb_init_label = biba_init_label_waitcheck,
3402 .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
3404 .mpo_ip6q_create = biba_ip6q_create,
3405 .mpo_ip6q_destroy_label = biba_destroy_label,
3406 .mpo_ip6q_init_label = biba_init_label_waitcheck,
3407 .mpo_ip6q_match = biba_ip6q_match,
3408 .mpo_ip6q_reassemble = biba_ip6q_reassemble,
3409 .mpo_ip6q_update = biba_ip6q_update,
3411 .mpo_ipq_create = biba_ipq_create,
3412 .mpo_ipq_destroy_label = biba_destroy_label,
3413 .mpo_ipq_init_label = biba_init_label_waitcheck,
3414 .mpo_ipq_match = biba_ipq_match,
3415 .mpo_ipq_reassemble = biba_ipq_reassemble,
3416 .mpo_ipq_update = biba_ipq_update,
3418 .mpo_kld_check_load = biba_kld_check_load,
3420 .mpo_mbuf_copy_label = biba_copy_label,
3421 .mpo_mbuf_destroy_label = biba_destroy_label,
3422 .mpo_mbuf_init_label = biba_init_label_waitcheck,
3424 .mpo_mount_check_stat = biba_mount_check_stat,
3425 .mpo_mount_create = biba_mount_create,
3426 .mpo_mount_destroy_label = biba_destroy_label,
3427 .mpo_mount_init_label = biba_init_label,
3429 .mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
3431 .mpo_netinet_arp_send = biba_netinet_arp_send,
3432 .mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
3433 .mpo_netinet_firewall_send = biba_netinet_firewall_send,
3434 .mpo_netinet_fragment = biba_netinet_fragment,
3435 .mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
3436 .mpo_netinet_igmp_send = biba_netinet_igmp_send,
3438 .mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
3440 .mpo_pipe_check_ioctl = biba_pipe_check_ioctl,
3441 .mpo_pipe_check_poll = biba_pipe_check_poll,
3442 .mpo_pipe_check_read = biba_pipe_check_read,
3443 .mpo_pipe_check_relabel = biba_pipe_check_relabel,
3444 .mpo_pipe_check_stat = biba_pipe_check_stat,
3445 .mpo_pipe_check_write = biba_pipe_check_write,
3446 .mpo_pipe_copy_label = biba_copy_label,
3447 .mpo_pipe_create = biba_pipe_create,
3448 .mpo_pipe_destroy_label = biba_destroy_label,
3449 .mpo_pipe_externalize_label = biba_externalize_label,
3450 .mpo_pipe_init_label = biba_init_label,
3451 .mpo_pipe_internalize_label = biba_internalize_label,
3452 .mpo_pipe_relabel = biba_pipe_relabel,
3454 .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
3455 .mpo_posixsem_check_open = biba_posixsem_check_openunlink,
3456 .mpo_posixsem_check_post = biba_posixsem_check_write,
3457 .mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
3458 .mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
3459 .mpo_posixsem_check_wait = biba_posixsem_check_write,
3460 .mpo_posixsem_create = biba_posixsem_create,
3461 .mpo_posixsem_destroy_label = biba_destroy_label,
3462 .mpo_posixsem_init_label = biba_init_label,
3464 .mpo_priv_check = biba_priv_check,
3466 .mpo_proc_check_debug = biba_proc_check_debug,
3467 .mpo_proc_check_sched = biba_proc_check_sched,
3468 .mpo_proc_check_signal = biba_proc_check_signal,
3470 .mpo_socket_check_deliver = biba_socket_check_deliver,
3471 .mpo_socket_check_relabel = biba_socket_check_relabel,
3472 .mpo_socket_check_visible = biba_socket_check_visible,
3473 .mpo_socket_copy_label = biba_copy_label,
3474 .mpo_socket_create = biba_socket_create,
3475 .mpo_socket_create_mbuf = biba_socket_create_mbuf,
3476 .mpo_socket_destroy_label = biba_destroy_label,
3477 .mpo_socket_externalize_label = biba_externalize_label,
3478 .mpo_socket_init_label = biba_init_label_waitcheck,
3479 .mpo_socket_internalize_label = biba_internalize_label,
3480 .mpo_socket_newconn = biba_socket_newconn,
3481 .mpo_socket_relabel = biba_socket_relabel,
3483 .mpo_socketpeer_destroy_label = biba_destroy_label,
3484 .mpo_socketpeer_externalize_label = biba_externalize_label,
3485 .mpo_socketpeer_init_label = biba_init_label_waitcheck,
3486 .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
3487 .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
3489 .mpo_syncache_create = biba_syncache_create,
3490 .mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
3491 .mpo_syncache_destroy_label = biba_destroy_label,
3492 .mpo_syncache_init_label = biba_init_label_waitcheck,
3494 .mpo_system_check_acct = biba_system_check_acct,
3495 .mpo_system_check_auditctl = biba_system_check_auditctl,
3496 .mpo_system_check_auditon = biba_system_check_auditon,
3497 .mpo_system_check_swapoff = biba_system_check_swapoff,
3498 .mpo_system_check_swapon = biba_system_check_swapon,
3499 .mpo_system_check_sysctl = biba_system_check_sysctl,
3501 .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
3502 .mpo_sysvmsg_create = biba_sysvmsg_create,
3503 .mpo_sysvmsg_destroy_label = biba_destroy_label,
3504 .mpo_sysvmsg_init_label = biba_init_label,
3506 .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
3507 .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
3508 .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
3509 .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
3510 .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
3511 .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
3512 .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
3513 .mpo_sysvmsq_create = biba_sysvmsq_create,
3514 .mpo_sysvmsq_destroy_label = biba_destroy_label,
3515 .mpo_sysvmsq_init_label = biba_init_label,
3517 .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
3518 .mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
3519 .mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
3520 .mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
3521 .mpo_sysvsem_create = biba_sysvsem_create,
3522 .mpo_sysvsem_destroy_label = biba_destroy_label,
3523 .mpo_sysvsem_init_label = biba_init_label,
3525 .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
3526 .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
3527 .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
3528 .mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
3529 .mpo_sysvshm_create = biba_sysvshm_create,
3530 .mpo_sysvshm_destroy_label = biba_destroy_label,
3531 .mpo_sysvshm_init_label = biba_init_label,
3533 .mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
3534 .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
3535 .mpo_vnode_check_access = biba_vnode_check_open,
3536 .mpo_vnode_check_chdir = biba_vnode_check_chdir,
3537 .mpo_vnode_check_chroot = biba_vnode_check_chroot,
3538 .mpo_vnode_check_create = biba_vnode_check_create,
3539 .mpo_vnode_check_deleteacl = biba_vnode_check_deleteacl,
3540 .mpo_vnode_check_deleteextattr = biba_vnode_check_deleteextattr,
3541 .mpo_vnode_check_exec = biba_vnode_check_exec,
3542 .mpo_vnode_check_getacl = biba_vnode_check_getacl,
3543 .mpo_vnode_check_getextattr = biba_vnode_check_getextattr,
3544 .mpo_vnode_check_link = biba_vnode_check_link,
3545 .mpo_vnode_check_listextattr = biba_vnode_check_listextattr,
3546 .mpo_vnode_check_lookup = biba_vnode_check_lookup,
3547 .mpo_vnode_check_mmap = biba_vnode_check_mmap,
3548 .mpo_vnode_check_open = biba_vnode_check_open,
3549 .mpo_vnode_check_poll = biba_vnode_check_poll,
3550 .mpo_vnode_check_read = biba_vnode_check_read,
3551 .mpo_vnode_check_readdir = biba_vnode_check_readdir,
3552 .mpo_vnode_check_readlink = biba_vnode_check_readlink,
3553 .mpo_vnode_check_relabel = biba_vnode_check_relabel,
3554 .mpo_vnode_check_rename_from = biba_vnode_check_rename_from,
3555 .mpo_vnode_check_rename_to = biba_vnode_check_rename_to,
3556 .mpo_vnode_check_revoke = biba_vnode_check_revoke,
3557 .mpo_vnode_check_setacl = biba_vnode_check_setacl,
3558 .mpo_vnode_check_setextattr = biba_vnode_check_setextattr,
3559 .mpo_vnode_check_setflags = biba_vnode_check_setflags,
3560 .mpo_vnode_check_setmode = biba_vnode_check_setmode,
3561 .mpo_vnode_check_setowner = biba_vnode_check_setowner,
3562 .mpo_vnode_check_setutimes = biba_vnode_check_setutimes,
3563 .mpo_vnode_check_stat = biba_vnode_check_stat,
3564 .mpo_vnode_check_unlink = biba_vnode_check_unlink,
3565 .mpo_vnode_check_write = biba_vnode_check_write,
3566 .mpo_vnode_create_extattr = biba_vnode_create_extattr,
3567 .mpo_vnode_copy_label = biba_copy_label,
3568 .mpo_vnode_destroy_label = biba_destroy_label,
3569 .mpo_vnode_externalize_label = biba_externalize_label,
3570 .mpo_vnode_init_label = biba_init_label,
3571 .mpo_vnode_internalize_label = biba_internalize_label,
3572 .mpo_vnode_relabel = biba_vnode_relabel,
3573 .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
3576 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
3577 MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);