2 * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * Copyright (c) 2006 SPARTA, Inc.
7 * This software was developed by Robert Watson for the TrustedBSD Project.
9 * This software was developed for the FreeBSD Project in part by McAfee
10 * Research, the Security Research Division of McAfee, Inc. under
11 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
12 * CHATS research program.
14 * This software was enhanced by SPARTA ISSO under SPAWAR contract
15 * N66001-04-C-6019 ("SEFOS").
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * Developed by the TrustedBSD Project.
44 * Biba fixed label mandatory integrity policy.
47 #include <sys/param.h>
49 #include <sys/extattr.h>
50 #include <sys/kernel.h>
52 #include <sys/malloc.h>
54 #include <sys/mount.h>
58 #include <sys/systm.h>
59 #include <sys/sysproto.h>
60 #include <sys/sysent.h>
61 #include <sys/systm.h>
62 #include <sys/vnode.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
68 #include <sys/sysctl.h>
73 #include <fs/devfs/devfs.h>
75 #include <net/bpfdesc.h>
77 #include <net/if_types.h>
78 #include <net/if_var.h>
80 #include <netinet/in.h>
81 #include <netinet/in_pcb.h>
82 #include <netinet/ip_var.h>
87 #include <security/mac/mac_policy.h>
88 #include <security/mac_biba/mac_biba.h>
90 SYSCTL_DECL(_security_mac);
92 SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
93 "TrustedBSD mac_biba policy controls");
95 static int biba_label_size = sizeof(struct mac_biba);
96 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
97 &biba_label_size, 0, "Size of struct mac_biba");
99 static int biba_enabled = 1;
100 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &biba_enabled,
101 0, "Enforce MAC/Biba policy");
102 TUNABLE_INT("security.mac.biba.enabled", &biba_enabled);
104 static int destroyed_not_inited;
105 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
106 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
108 static int trust_all_interfaces = 0;
109 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
110 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
111 TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
113 static char trusted_interfaces[128];
114 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
115 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
116 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
117 sizeof(trusted_interfaces));
119 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
120 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
121 &max_compartments, 0, "Maximum supported compartments");
123 static int ptys_equal = 0;
124 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal,
125 0, "Label pty devices as biba/equal on create");
126 TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
128 static int interfaces_equal = 1;
129 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW,
130 &interfaces_equal, 0, "Label network interfaces as biba/equal on create");
131 TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal);
133 static int revocation_enabled = 0;
134 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
135 &revocation_enabled, 0, "Revoke access to objects on relabel");
136 TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
138 static int biba_slot;
139 #define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot))
140 #define SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val))
142 static uma_zone_t zone_biba;
145 biba_bit_set_empty(u_char *set) {
148 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
154 static struct mac_biba *
158 return (uma_zalloc(zone_biba, flag | M_ZERO));
162 biba_free(struct mac_biba *mb)
166 uma_zfree(zone_biba, mb);
168 atomic_add_int(&destroyed_not_inited, 1);
172 biba_atmostflags(struct mac_biba *mb, int flags)
175 if ((mb->mb_flags & flags) != mb->mb_flags)
181 biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b)
185 switch (a->mbe_type) {
186 case MAC_BIBA_TYPE_EQUAL:
187 case MAC_BIBA_TYPE_HIGH:
190 case MAC_BIBA_TYPE_LOW:
191 switch (b->mbe_type) {
192 case MAC_BIBA_TYPE_GRADE:
193 case MAC_BIBA_TYPE_HIGH:
196 case MAC_BIBA_TYPE_EQUAL:
197 case MAC_BIBA_TYPE_LOW:
201 panic("biba_dominate_element: b->mbe_type invalid");
204 case MAC_BIBA_TYPE_GRADE:
205 switch (b->mbe_type) {
206 case MAC_BIBA_TYPE_EQUAL:
207 case MAC_BIBA_TYPE_LOW:
210 case MAC_BIBA_TYPE_HIGH:
213 case MAC_BIBA_TYPE_GRADE:
214 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
215 if (!MAC_BIBA_BIT_TEST(bit,
216 a->mbe_compartments) &&
217 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
219 return (a->mbe_grade >= b->mbe_grade);
222 panic("biba_dominate_element: b->mbe_type invalid");
226 panic("biba_dominate_element: a->mbe_type invalid");
233 biba_subject_dominate_high(struct mac_biba *mb)
235 struct mac_biba_element *element;
237 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
238 ("biba_effective_in_range: mb not effective"));
239 element = &mb->mb_effective;
241 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
242 element->mbe_type == MAC_BIBA_TYPE_HIGH);
246 biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
249 return (biba_dominate_element(&rangeb->mb_rangehigh,
250 &rangea->mb_rangehigh) &&
251 biba_dominate_element(&rangea->mb_rangelow,
252 &rangeb->mb_rangelow));
256 biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range)
259 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
260 ("biba_effective_in_range: a not effective"));
261 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
262 ("biba_effective_in_range: b not range"));
264 return (biba_dominate_element(&range->mb_rangehigh,
265 &effective->mb_effective) &&
266 biba_dominate_element(&effective->mb_effective,
267 &range->mb_rangelow));
273 biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
275 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
276 ("biba_dominate_effective: a not effective"));
277 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
278 ("biba_dominate_effective: b not effective"));
280 return (biba_dominate_element(&a->mb_effective, &b->mb_effective));
284 biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
287 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
288 b->mbe_type == MAC_BIBA_TYPE_EQUAL)
291 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
295 biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
298 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
299 ("biba_equal_effective: a not effective"));
300 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
301 ("biba_equal_effective: b not effective"));
303 return (biba_equal_element(&a->mb_effective, &b->mb_effective));
307 biba_contains_equal(struct mac_biba *mb)
310 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
311 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
315 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
316 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
318 if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
326 biba_subject_privileged(struct mac_biba *mb)
329 KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH,
330 ("biba_subject_privileged: subject doesn't have both labels"));
332 /* If the effective is EQUAL, it's ok. */
333 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
336 /* If either range endpoint is EQUAL, it's ok. */
337 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
338 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
341 /* If the range is low-high, it's ok. */
342 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
343 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
351 biba_high_effective(struct mac_biba *mb)
354 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
355 ("biba_equal_effective: mb not effective"));
357 return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
361 biba_valid(struct mac_biba *mb)
364 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
365 switch (mb->mb_effective.mbe_type) {
366 case MAC_BIBA_TYPE_GRADE:
369 case MAC_BIBA_TYPE_EQUAL:
370 case MAC_BIBA_TYPE_HIGH:
371 case MAC_BIBA_TYPE_LOW:
372 if (mb->mb_effective.mbe_grade != 0 ||
373 !MAC_BIBA_BIT_SET_EMPTY(
374 mb->mb_effective.mbe_compartments))
382 if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
386 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
387 switch (mb->mb_rangelow.mbe_type) {
388 case MAC_BIBA_TYPE_GRADE:
391 case MAC_BIBA_TYPE_EQUAL:
392 case MAC_BIBA_TYPE_HIGH:
393 case MAC_BIBA_TYPE_LOW:
394 if (mb->mb_rangelow.mbe_grade != 0 ||
395 !MAC_BIBA_BIT_SET_EMPTY(
396 mb->mb_rangelow.mbe_compartments))
404 switch (mb->mb_rangehigh.mbe_type) {
405 case MAC_BIBA_TYPE_GRADE:
408 case MAC_BIBA_TYPE_EQUAL:
409 case MAC_BIBA_TYPE_HIGH:
410 case MAC_BIBA_TYPE_LOW:
411 if (mb->mb_rangehigh.mbe_grade != 0 ||
412 !MAC_BIBA_BIT_SET_EMPTY(
413 mb->mb_rangehigh.mbe_compartments))
420 if (!biba_dominate_element(&mb->mb_rangehigh,
424 if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
425 mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
433 biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow,
434 u_char *compartmentslow, u_short typehigh, u_short gradehigh,
435 u_char *compartmentshigh)
438 mb->mb_rangelow.mbe_type = typelow;
439 mb->mb_rangelow.mbe_grade = gradelow;
440 if (compartmentslow != NULL)
441 memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow,
442 sizeof(mb->mb_rangelow.mbe_compartments));
443 mb->mb_rangehigh.mbe_type = typehigh;
444 mb->mb_rangehigh.mbe_grade = gradehigh;
445 if (compartmentshigh != NULL)
446 memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh,
447 sizeof(mb->mb_rangehigh.mbe_compartments));
448 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
452 biba_set_effective(struct mac_biba *mb, u_short type, u_short grade,
453 u_char *compartments)
456 mb->mb_effective.mbe_type = type;
457 mb->mb_effective.mbe_grade = grade;
458 if (compartments != NULL)
459 memcpy(mb->mb_effective.mbe_compartments, compartments,
460 sizeof(mb->mb_effective.mbe_compartments));
461 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
465 biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
468 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
469 ("biba_copy_range: labelfrom not range"));
471 labelto->mb_rangelow = labelfrom->mb_rangelow;
472 labelto->mb_rangehigh = labelfrom->mb_rangehigh;
473 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
477 biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
480 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
481 ("biba_copy_effective: labelfrom not effective"));
483 labelto->mb_effective = labelfrom->mb_effective;
484 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
488 biba_copy(struct mac_biba *source, struct mac_biba *dest)
491 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
492 biba_copy_effective(source, dest);
493 if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
494 biba_copy_range(source, dest);
498 * Policy module operations.
501 biba_init(struct mac_policy_conf *conf)
504 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL,
505 NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
512 biba_init_label(struct label *label)
515 SLOT_SET(label, biba_alloc(M_WAITOK));
519 biba_init_label_waitcheck(struct label *label, int flag)
522 SLOT_SET(label, biba_alloc(flag));
523 if (SLOT(label) == NULL)
530 biba_destroy_label(struct label *label)
533 biba_free(SLOT(label));
534 SLOT_SET(label, NULL);
538 * biba_element_to_string() accepts an sbuf and Biba element. It converts
539 * the Biba element to a string and stores the result in the sbuf; if there
540 * isn't space in the sbuf, -1 is returned.
543 biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element)
547 switch (element->mbe_type) {
548 case MAC_BIBA_TYPE_HIGH:
549 return (sbuf_printf(sb, "high"));
551 case MAC_BIBA_TYPE_LOW:
552 return (sbuf_printf(sb, "low"));
554 case MAC_BIBA_TYPE_EQUAL:
555 return (sbuf_printf(sb, "equal"));
557 case MAC_BIBA_TYPE_GRADE:
558 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1)
562 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) {
563 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) {
565 if (sbuf_putc(sb, ':') == -1)
567 if (sbuf_printf(sb, "%d", i) == -1)
571 if (sbuf_printf(sb, "+%d", i) == -1)
579 panic("biba_element_to_string: invalid type (%d)",
585 * biba_to_string() converts a Biba label to a string, and places the results
586 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
587 * room in the sbuf. Note: the sbuf will be modified even in a failure case,
588 * so the caller may need to revert the sbuf by restoring the offset if
592 biba_to_string(struct sbuf *sb, struct mac_biba *mb)
595 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
596 if (biba_element_to_string(sb, &mb->mb_effective) == -1)
600 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
601 if (sbuf_putc(sb, '(') == -1)
604 if (biba_element_to_string(sb, &mb->mb_rangelow) == -1)
607 if (sbuf_putc(sb, '-') == -1)
610 if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1)
613 if (sbuf_putc(sb, ')') == -1)
621 biba_externalize_label(struct label *label, char *element_name,
622 struct sbuf *sb, int *claimed)
626 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
632 return (biba_to_string(sb, mb));
636 biba_parse_element(struct mac_biba_element *element, char *string)
638 char *compartment, *end, *grade;
641 if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
642 element->mbe_type = MAC_BIBA_TYPE_HIGH;
643 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
644 } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
645 element->mbe_type = MAC_BIBA_TYPE_LOW;
646 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
647 } else if (strcmp(string, "equal") == 0 ||
648 strcmp(string, "eq") == 0) {
649 element->mbe_type = MAC_BIBA_TYPE_EQUAL;
650 element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
652 element->mbe_type = MAC_BIBA_TYPE_GRADE;
655 * Numeric grade piece of the element.
657 grade = strsep(&string, ":");
658 value = strtol(grade, &end, 10);
659 if (end == grade || *end != '\0')
661 if (value < 0 || value > 65535)
663 element->mbe_grade = value;
666 * Optional compartment piece of the element. If none are
667 * included, we assume that the label has no compartments.
674 while ((compartment = strsep(&string, "+")) != NULL) {
675 value = strtol(compartment, &end, 10);
676 if (compartment == end || *end != '\0')
678 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS)
680 MAC_BIBA_BIT_SET(value, element->mbe_compartments);
688 * Note: destructively consumes the string, make a local copy before calling
689 * if that's a problem.
692 biba_parse(struct mac_biba *mb, char *string)
694 char *rangehigh, *rangelow, *effective;
697 effective = strsep(&string, "(");
698 if (*effective == '\0')
701 if (string != NULL) {
702 rangelow = strsep(&string, "-");
705 rangehigh = strsep(&string, ")");
715 KASSERT((rangelow != NULL && rangehigh != NULL) ||
716 (rangelow == NULL && rangehigh == NULL),
717 ("biba_parse: range mismatch"));
719 bzero(mb, sizeof(*mb));
720 if (effective != NULL) {
721 error = biba_parse_element(&mb->mb_effective, effective);
724 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
727 if (rangelow != NULL) {
728 error = biba_parse_element(&mb->mb_rangelow, rangelow);
731 error = biba_parse_element(&mb->mb_rangehigh, rangehigh);
734 mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
737 error = biba_valid(mb);
745 biba_internalize_label(struct label *label, char *element_name,
746 char *element_data, int *claimed)
748 struct mac_biba *mb, mb_temp;
751 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
756 error = biba_parse(&mb_temp, element_data);
767 biba_copy_label(struct label *src, struct label *dest)
770 *SLOT(dest) = *SLOT(src);
774 * Object-specific entry point implementations are sorted alphabetically by
775 * object type name and then by operation.
778 biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
779 struct ifnet *ifp, struct label *ifplabel)
781 struct mac_biba *a, *b;
789 if (biba_equal_effective(a, b))
795 biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
796 struct label *dlabel)
798 struct mac_biba *source, *dest;
800 source = SLOT(cred->cr_label);
803 biba_copy_effective(source, dest);
807 biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
808 struct mbuf *m, struct label *mlabel)
810 struct mac_biba *source, *dest;
812 source = SLOT(dlabel);
815 biba_copy_effective(source, dest);
819 biba_cred_associate_nfsd(struct ucred *cred)
821 struct mac_biba *label;
823 label = SLOT(cred->cr_label);
824 biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
825 biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
830 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
832 struct mac_biba *subj, *new;
835 subj = SLOT(cred->cr_label);
836 new = SLOT(newlabel);
839 * If there is a Biba label update for the credential, it may
840 * be an update of the effective, range, or both.
842 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
847 * If the Biba label is to be changed, authorize as appropriate.
849 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
851 * If the change request modifies both the Biba label
852 * effective and range, check that the new effective will be
855 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
856 MAC_BIBA_FLAGS_BOTH &&
857 !biba_effective_in_range(new, new))
861 * To change the Biba effective label on a credential, the
862 * new effective label must be in the current range.
864 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
865 !biba_effective_in_range(new, subj))
869 * To change the Biba range on a credential, the new range
870 * label must be in the current range.
872 if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
873 !biba_range_in_range(new, subj))
877 * To have EQUAL in any component of the new credential Biba
878 * label, the subject must already have EQUAL in their label.
880 if (biba_contains_equal(new)) {
881 error = biba_subject_privileged(subj);
891 biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
893 struct mac_biba *subj, *obj;
898 subj = SLOT(u1->cr_label);
899 obj = SLOT(u2->cr_label);
902 if (!biba_dominate_effective(obj, subj))
909 biba_cred_create_init(struct ucred *cred)
911 struct mac_biba *dest;
913 dest = SLOT(cred->cr_label);
915 biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
916 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
921 biba_cred_create_swapper(struct ucred *cred)
923 struct mac_biba *dest;
925 dest = SLOT(cred->cr_label);
927 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
928 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
933 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
935 struct mac_biba *source, *dest;
937 source = SLOT(newlabel);
938 dest = SLOT(cred->cr_label);
940 biba_copy(source, dest);
944 biba_devfs_create_device(struct ucred *cred, struct mount *mp,
945 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
951 if (strcmp(dev->si_name, "null") == 0 ||
952 strcmp(dev->si_name, "zero") == 0 ||
953 strcmp(dev->si_name, "random") == 0 ||
954 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
955 biba_type = MAC_BIBA_TYPE_EQUAL;
956 else if (ptys_equal &&
957 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
958 strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||
959 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
960 biba_type = MAC_BIBA_TYPE_EQUAL;
962 biba_type = MAC_BIBA_TYPE_HIGH;
963 biba_set_effective(mb, biba_type, 0, NULL);
967 biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
968 struct devfs_dirent *de, struct label *delabel)
974 biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
978 biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
979 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
980 struct label *delabel)
982 struct mac_biba *source, *dest;
984 source = SLOT(cred->cr_label);
985 dest = SLOT(delabel);
987 biba_copy_effective(source, dest);
991 biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
992 struct label *delabel, struct vnode *vp, struct label *vplabel)
994 struct mac_biba *source, *dest;
996 source = SLOT(vplabel);
997 dest = SLOT(delabel);
999 biba_copy(source, dest);
1003 biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
1004 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
1005 struct label *vplabel)
1007 struct mac_biba *source, *dest;
1009 source = SLOT(delabel);
1010 dest = SLOT(vplabel);
1012 biba_copy_effective(source, dest);
1016 biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
1017 struct label *ifplabel, struct label *newlabel)
1019 struct mac_biba *subj, *new;
1022 subj = SLOT(cred->cr_label);
1023 new = SLOT(newlabel);
1026 * If there is a Biba label update for the interface, it may be an
1027 * update of the effective, range, or both.
1029 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
1034 * Relabling network interfaces requires Biba privilege.
1036 error = biba_subject_privileged(subj);
1044 biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
1045 struct mbuf *m, struct label *mlabel)
1047 struct mac_biba *p, *i;
1055 return (biba_effective_in_range(p, i) ? 0 : EACCES);
1059 biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
1061 char tifname[IFNAMSIZ], *p, *q;
1062 char tiflist[sizeof(trusted_interfaces)];
1063 struct mac_biba *dest;
1066 dest = SLOT(ifplabel);
1068 if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
1069 type = MAC_BIBA_TYPE_EQUAL;
1073 if (trust_all_interfaces) {
1074 type = MAC_BIBA_TYPE_HIGH;
1078 type = MAC_BIBA_TYPE_LOW;
1080 if (trusted_interfaces[0] == '\0' ||
1081 !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
1084 bzero(tiflist, sizeof(tiflist));
1085 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
1086 if(*p != ' ' && *p != '\t')
1089 for (p = q = tiflist;; p++) {
1090 if (*p == ',' || *p == '\0') {
1092 if (len < IFNAMSIZ) {
1093 bzero(tifname, sizeof(tifname));
1094 bcopy(q, tifname, len);
1095 if (strcmp(tifname, ifp->if_xname) == 0) {
1096 type = MAC_BIBA_TYPE_HIGH;
1101 printf("mac_biba warning: interface name "
1102 "\"%s\" is too long (must be < %d)\n",
1111 biba_set_effective(dest, type, 0, NULL);
1112 biba_set_range(dest, type, 0, NULL, type, 0, NULL);
1116 biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
1117 struct mbuf *m, struct label *mlabel)
1119 struct mac_biba *source, *dest;
1121 source = SLOT(ifplabel);
1122 dest = SLOT(mlabel);
1124 biba_copy_effective(source, dest);
1128 biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1129 struct label *ifplabel, struct label *newlabel)
1131 struct mac_biba *source, *dest;
1133 source = SLOT(newlabel);
1134 dest = SLOT(ifplabel);
1136 biba_copy(source, dest);
1140 biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
1141 struct mbuf *m, struct label *mlabel)
1143 struct mac_biba *p, *i;
1151 return (biba_equal_effective(p, i) ? 0 : EACCES);
1155 biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
1156 struct label *inplabel)
1158 struct mac_biba *subj, *obj;
1163 subj = SLOT(cred->cr_label);
1164 obj = SLOT(inplabel);
1166 if (!biba_dominate_effective(obj, subj))
1173 biba_inpcb_create(struct socket *so, struct label *solabel,
1174 struct inpcb *inp, struct label *inplabel)
1176 struct mac_biba *source, *dest;
1178 source = SLOT(solabel);
1179 dest = SLOT(inplabel);
1182 biba_copy_effective(source, dest);
1187 biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
1188 struct mbuf *m, struct label *mlabel)
1190 struct mac_biba *source, *dest;
1192 source = SLOT(inplabel);
1193 dest = SLOT(mlabel);
1195 biba_copy_effective(source, dest);
1199 biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1200 struct inpcb *inp, struct label *inplabel)
1202 struct mac_biba *source, *dest;
1204 SOCK_LOCK_ASSERT(so);
1206 source = SLOT(solabel);
1207 dest = SLOT(inplabel);
1209 biba_copy(source, dest);
1213 biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1214 struct label *q6label)
1216 struct mac_biba *source, *dest;
1218 source = SLOT(mlabel);
1219 dest = SLOT(q6label);
1221 biba_copy_effective(source, dest);
1225 biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1226 struct label *q6label)
1228 struct mac_biba *a, *b;
1233 return (biba_equal_effective(a, b));
1237 biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
1238 struct label *mlabel)
1240 struct mac_biba *source, *dest;
1242 source = SLOT(q6label);
1243 dest = SLOT(mlabel);
1245 /* Just use the head, since we require them all to match. */
1246 biba_copy_effective(source, dest);
1250 biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
1251 struct label *q6label)
1254 /* NOOP: we only accept matching labels, so no need to update */
1258 biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
1259 struct label *qlabel)
1261 struct mac_biba *source, *dest;
1263 source = SLOT(mlabel);
1264 dest = SLOT(qlabel);
1266 biba_copy_effective(source, dest);
1270 biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
1271 struct label *qlabel)
1273 struct mac_biba *a, *b;
1278 return (biba_equal_effective(a, b));
1282 biba_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
1283 struct label *mlabel)
1285 struct mac_biba *source, *dest;
1287 source = SLOT(qlabel);
1288 dest = SLOT(mlabel);
1290 /* Just use the head, since we require them all to match. */
1291 biba_copy_effective(source, dest);
1295 biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
1296 struct label *qlabel)
1299 /* NOOP: we only accept matching labels, so no need to update */
1303 biba_kld_check_load(struct ucred *cred, struct vnode *vp,
1304 struct label *vplabel)
1306 struct mac_biba *subj, *obj;
1312 subj = SLOT(cred->cr_label);
1314 error = biba_subject_privileged(subj);
1318 obj = SLOT(vplabel);
1319 if (!biba_high_effective(obj))
1326 biba_mount_check_stat(struct ucred *cred, struct mount *mp,
1327 struct label *mplabel)
1329 struct mac_biba *subj, *obj;
1334 subj = SLOT(cred->cr_label);
1335 obj = SLOT(mplabel);
1337 if (!biba_dominate_effective(obj, subj))
1344 biba_mount_create(struct ucred *cred, struct mount *mp,
1345 struct label *mplabel)
1347 struct mac_biba *source, *dest;
1349 source = SLOT(cred->cr_label);
1350 dest = SLOT(mplabel);
1352 biba_copy_effective(source, dest);
1356 biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel,
1357 struct mbuf *m, struct label *mlabel)
1359 struct mac_biba *dest;
1361 dest = SLOT(mlabel);
1363 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1367 biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
1368 struct mbuf *m, struct label *mlabel)
1370 struct mac_biba *dest;
1372 dest = SLOT(mlabel);
1374 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1378 biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1379 struct mbuf *msend, struct label *msendlabel)
1381 struct mac_biba *source, *dest;
1383 source = SLOT(mrecvlabel);
1384 dest = SLOT(msendlabel);
1386 biba_copy_effective(source, dest);
1390 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
1392 struct mac_biba *dest;
1394 dest = SLOT(mlabel);
1396 /* XXX: where is the label for the firewall really coming from? */
1397 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1401 biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
1402 struct mbuf *frag, struct label *fraglabel)
1404 struct mac_biba *source, *dest;
1406 source = SLOT(mlabel);
1407 dest = SLOT(fraglabel);
1409 biba_copy_effective(source, dest);
1413 biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1414 struct mbuf *msend, struct label *msendlabel)
1416 struct mac_biba *source, *dest;
1418 source = SLOT(mrecvlabel);
1419 dest = SLOT(msendlabel);
1421 biba_copy_effective(source, dest);
1425 biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
1426 struct mbuf *m, struct label *mlabel)
1428 struct mac_biba *dest;
1430 dest = SLOT(mlabel);
1432 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1436 biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
1437 struct mbuf *m, struct label *mlabel)
1439 struct mac_biba *dest;
1441 dest = SLOT(mlabel);
1443 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
1447 biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1448 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
1454 /* XXX: This will be implemented soon... */
1460 biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1461 struct label *pplabel)
1463 struct mac_biba *subj, *obj;
1468 subj = SLOT(cred->cr_label);
1469 obj = SLOT(pplabel);
1471 if (!biba_dominate_effective(obj, subj))
1478 biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1479 struct label *pplabel)
1481 struct mac_biba *subj, *obj;
1486 subj = SLOT(cred->cr_label);
1487 obj = SLOT(pplabel);
1489 if (!biba_dominate_effective(obj, subj))
1496 biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1497 struct label *pplabel, struct label *newlabel)
1499 struct mac_biba *subj, *obj, *new;
1502 new = SLOT(newlabel);
1503 subj = SLOT(cred->cr_label);
1504 obj = SLOT(pplabel);
1507 * If there is a Biba label update for a pipe, it must be a effective
1510 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
1515 * To perform a relabel of a pipe (Biba label or not), Biba must
1516 * authorize the relabel.
1518 if (!biba_effective_in_range(obj, subj))
1522 * If the Biba label is to be changed, authorize as appropriate.
1524 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
1526 * To change the Biba label on a pipe, the new pipe label
1527 * must be in the subject range.
1529 if (!biba_effective_in_range(new, subj))
1533 * To change the Biba label on a pipe to be EQUAL, the
1534 * subject must have appropriate privilege.
1536 if (biba_contains_equal(new)) {
1537 error = biba_subject_privileged(subj);
1547 biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1548 struct label *pplabel)
1550 struct mac_biba *subj, *obj;
1555 subj = SLOT(cred->cr_label);
1556 obj = SLOT(pplabel);
1558 if (!biba_dominate_effective(obj, subj))
1565 biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1566 struct label *pplabel)
1568 struct mac_biba *subj, *obj;
1573 subj = SLOT(cred->cr_label);
1574 obj = SLOT(pplabel);
1576 if (!biba_dominate_effective(subj, obj))
1583 biba_pipe_create(struct ucred *cred, struct pipepair *pp,
1584 struct label *pplabel)
1586 struct mac_biba *source, *dest;
1588 source = SLOT(cred->cr_label);
1589 dest = SLOT(pplabel);
1591 biba_copy_effective(source, dest);
1595 biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1596 struct label *pplabel, struct label *newlabel)
1598 struct mac_biba *source, *dest;
1600 source = SLOT(newlabel);
1601 dest = SLOT(pplabel);
1603 biba_copy(source, dest);
1607 biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
1608 struct label *kslabel)
1610 struct mac_biba *subj, *obj;
1615 subj = SLOT(cred->cr_label);
1616 obj = SLOT(kslabel);
1618 if (!biba_dominate_effective(subj, obj))
1625 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
1626 struct ksem *ks, struct label *kslabel)
1628 struct mac_biba *subj, *obj;
1633 subj = SLOT(active_cred->cr_label);
1634 obj = SLOT(kslabel);
1636 if (!biba_dominate_effective(subj, obj))
1643 biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
1644 struct ksem *ks, struct label *kslabel)
1646 struct mac_biba *subj, *obj;
1651 subj = SLOT(active_cred->cr_label);
1652 obj = SLOT(kslabel);
1654 if (!biba_dominate_effective(obj, subj))
1661 biba_posixsem_create(struct ucred *cred, struct ksem *ks,
1662 struct label *kslabel)
1664 struct mac_biba *source, *dest;
1666 source = SLOT(cred->cr_label);
1667 dest = SLOT(kslabel);
1669 biba_copy_effective(source, dest);
1673 * Some system privileges are allowed regardless of integrity grade; others
1674 * are allowed only when running with privilege with respect to the Biba
1675 * policy as they might otherwise allow bypassing of the integrity policy.
1678 biba_priv_check(struct ucred *cred, int priv)
1680 struct mac_biba *subj;
1687 * Exempt only specific privileges from the Biba integrity policy.
1694 * Allow processes to manipulate basic process audit properties, and
1695 * to submit audit records.
1697 case PRIV_AUDIT_GETAUDIT:
1698 case PRIV_AUDIT_SETAUDIT:
1699 case PRIV_AUDIT_SUBMIT:
1702 * Allow processes to manipulate their regular UNIX credentials.
1704 case PRIV_CRED_SETUID:
1705 case PRIV_CRED_SETEUID:
1706 case PRIV_CRED_SETGID:
1707 case PRIV_CRED_SETEGID:
1708 case PRIV_CRED_SETGROUPS:
1709 case PRIV_CRED_SETREUID:
1710 case PRIV_CRED_SETREGID:
1711 case PRIV_CRED_SETRESUID:
1712 case PRIV_CRED_SETRESGID:
1715 * Allow processes to perform system monitoring.
1717 case PRIV_SEEOTHERGIDS:
1718 case PRIV_SEEOTHERUIDS:
1722 * Allow access to general process debugging facilities. We
1723 * separately control debugging based on MAC label.
1725 case PRIV_DEBUG_DIFFCRED:
1726 case PRIV_DEBUG_SUGID:
1727 case PRIV_DEBUG_UNPRIV:
1730 * Allow manipulating jails.
1732 case PRIV_JAIL_ATTACH:
1735 * Allow privilege with respect to the Partition policy, but not the
1738 case PRIV_MAC_PARTITION:
1741 * Allow privilege with respect to process resource limits and login
1744 case PRIV_PROC_LIMIT:
1745 case PRIV_PROC_SETLOGIN:
1746 case PRIV_PROC_SETRLIMIT:
1749 * Allow System V and POSIX IPC privileges.
1752 case PRIV_IPC_WRITE:
1753 case PRIV_IPC_ADMIN:
1754 case PRIV_IPC_MSGSIZE:
1758 * Allow certain scheduler manipulations -- possibly this should be
1759 * controlled by more fine-grained policy, as potentially low
1760 * integrity processes can deny CPU to higher integrity ones.
1762 case PRIV_SCHED_DIFFCRED:
1763 case PRIV_SCHED_SETPRIORITY:
1764 case PRIV_SCHED_RTPRIO:
1765 case PRIV_SCHED_SETPOLICY:
1766 case PRIV_SCHED_SET:
1767 case PRIV_SCHED_SETPARAM:
1770 * More IPC privileges.
1772 case PRIV_SEM_WRITE:
1775 * Allow signaling privileges subject to integrity policy.
1777 case PRIV_SIGNAL_DIFFCRED:
1778 case PRIV_SIGNAL_SUGID:
1781 * Allow access to only limited sysctls from lower integrity levels;
1782 * piggy-back on the Jail definition.
1784 case PRIV_SYSCTL_WRITEJAIL:
1787 * Allow TTY-based privileges, subject to general device access using
1788 * labels on TTY device nodes, but not console privilege.
1790 case PRIV_TTY_DRAINWAIT:
1791 case PRIV_TTY_DTRWAIT:
1792 case PRIV_TTY_EXCLUSIVE:
1797 * Grant most VFS privileges, as almost all are in practice bounded
1798 * by more specific checks using labels.
1801 case PRIV_VFS_WRITE:
1802 case PRIV_VFS_ADMIN:
1804 case PRIV_VFS_LOOKUP:
1805 case PRIV_VFS_CHFLAGS_DEV:
1806 case PRIV_VFS_CHOWN:
1807 case PRIV_VFS_CHROOT:
1808 case PRIV_VFS_RETAINSUGID:
1809 case PRIV_VFS_EXCEEDQUOTA:
1810 case PRIV_VFS_FCHROOT:
1811 case PRIV_VFS_FHOPEN:
1812 case PRIV_VFS_FHSTATFS:
1813 case PRIV_VFS_GENERATION:
1814 case PRIV_VFS_GETFH:
1815 case PRIV_VFS_GETQUOTA:
1817 case PRIV_VFS_MOUNT:
1818 case PRIV_VFS_MOUNT_OWNER:
1819 case PRIV_VFS_MOUNT_PERM:
1820 case PRIV_VFS_MOUNT_SUIDDIR:
1821 case PRIV_VFS_MOUNT_NONUSER:
1822 case PRIV_VFS_SETGID:
1823 case PRIV_VFS_STICKYFILE:
1824 case PRIV_VFS_SYSFLAGS:
1825 case PRIV_VFS_UNMOUNT:
1828 * Allow VM privileges; it would be nice if these were subject to
1831 case PRIV_VM_MADV_PROTECT:
1833 case PRIV_VM_MUNLOCK:
1834 case PRIV_VM_SWAP_NOQUOTA:
1835 case PRIV_VM_SWAP_NORLIMIT:
1838 * Allow some but not all network privileges. In general, dont allow
1839 * reconfiguring the network stack, just normal use.
1841 case PRIV_NETATALK_RESERVEDPORT:
1842 case PRIV_NETINET_RESERVEDPORT:
1843 case PRIV_NETINET_RAW:
1844 case PRIV_NETINET_REUSEPORT:
1845 case PRIV_NETIPX_RESERVEDPORT:
1846 case PRIV_NETIPX_RAW:
1850 * All remaining system privileges are allow only if the process
1851 * holds privilege with respect to the Biba policy.
1854 subj = SLOT(cred->cr_label);
1855 error = biba_subject_privileged(subj);
1863 biba_proc_check_debug(struct ucred *cred, struct proc *p)
1865 struct mac_biba *subj, *obj;
1870 subj = SLOT(cred->cr_label);
1871 obj = SLOT(p->p_ucred->cr_label);
1873 /* XXX: range checks */
1874 if (!biba_dominate_effective(obj, subj))
1876 if (!biba_dominate_effective(subj, obj))
1883 biba_proc_check_sched(struct ucred *cred, struct proc *p)
1885 struct mac_biba *subj, *obj;
1890 subj = SLOT(cred->cr_label);
1891 obj = SLOT(p->p_ucred->cr_label);
1893 /* XXX: range checks */
1894 if (!biba_dominate_effective(obj, subj))
1896 if (!biba_dominate_effective(subj, obj))
1903 biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
1905 struct mac_biba *subj, *obj;
1910 subj = SLOT(cred->cr_label);
1911 obj = SLOT(p->p_ucred->cr_label);
1913 /* XXX: range checks */
1914 if (!biba_dominate_effective(obj, subj))
1916 if (!biba_dominate_effective(subj, obj))
1923 biba_socket_check_deliver(struct socket *so, struct label *solabel,
1924 struct mbuf *m, struct label *mlabel)
1926 struct mac_biba *p, *s;
1936 error = biba_equal_effective(p, s) ? 0 : EACCES;
1942 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
1943 struct label *solabel, struct label *newlabel)
1945 struct mac_biba *subj, *obj, *new;
1948 SOCK_LOCK_ASSERT(so);
1950 new = SLOT(newlabel);
1951 subj = SLOT(cred->cr_label);
1952 obj = SLOT(solabel);
1955 * If there is a Biba label update for the socket, it may be an
1956 * update of effective.
1958 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
1963 * To relabel a socket, the old socket effective must be in the
1966 if (!biba_effective_in_range(obj, subj))
1970 * If the Biba label is to be changed, authorize as appropriate.
1972 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
1974 * To relabel a socket, the new socket effective must be in
1975 * the subject range.
1977 if (!biba_effective_in_range(new, subj))
1981 * To change the Biba label on the socket to contain EQUAL,
1982 * the subject must have appropriate privilege.
1984 if (biba_contains_equal(new)) {
1985 error = biba_subject_privileged(subj);
1995 biba_socket_check_visible(struct ucred *cred, struct socket *so,
1996 struct label *solabel)
1998 struct mac_biba *subj, *obj;
2003 subj = SLOT(cred->cr_label);
2004 obj = SLOT(solabel);
2007 if (!biba_dominate_effective(obj, subj)) {
2017 biba_socket_create(struct ucred *cred, struct socket *so,
2018 struct label *solabel)
2020 struct mac_biba *source, *dest;
2022 source = SLOT(cred->cr_label);
2023 dest = SLOT(solabel);
2025 biba_copy_effective(source, dest);
2029 biba_socket_create_mbuf(struct socket *so, struct label *solabel,
2030 struct mbuf *m, struct label *mlabel)
2032 struct mac_biba *source, *dest;
2034 source = SLOT(solabel);
2035 dest = SLOT(mlabel);
2038 biba_copy_effective(source, dest);
2043 biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
2044 struct socket *newso, struct label *newsolabel)
2046 struct mac_biba source, *dest;
2049 source = *SLOT(oldsolabel);
2052 dest = SLOT(newsolabel);
2055 biba_copy_effective(&source, dest);
2060 biba_socket_relabel(struct ucred *cred, struct socket *so,
2061 struct label *solabel, struct label *newlabel)
2063 struct mac_biba *source, *dest;
2065 SOCK_LOCK_ASSERT(so);
2067 source = SLOT(newlabel);
2068 dest = SLOT(solabel);
2070 biba_copy(source, dest);
2074 biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
2075 struct socket *so, struct label *sopeerlabel)
2077 struct mac_biba *source, *dest;
2079 source = SLOT(mlabel);
2080 dest = SLOT(sopeerlabel);
2083 biba_copy_effective(source, dest);
2088 biba_socketpeer_set_from_socket(struct socket *oldso,
2089 struct label *oldsolabel, struct socket *newso,
2090 struct label *newsopeerlabel)
2092 struct mac_biba source, *dest;
2095 source = *SLOT(oldsolabel);
2097 dest = SLOT(newsopeerlabel);
2100 biba_copy_effective(&source, dest);
2105 biba_syncache_create(struct label *label, struct inpcb *inp)
2107 struct mac_biba *source, *dest;
2109 source = SLOT(inp->inp_label);
2111 biba_copy_effective(source, dest);
2115 biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
2116 struct label *mlabel)
2118 struct mac_biba *source, *dest;
2120 source = SLOT(sc_label);
2121 dest = SLOT(mlabel);
2122 biba_copy_effective(source, dest);
2126 biba_system_check_acct(struct ucred *cred, struct vnode *vp,
2127 struct label *vplabel)
2129 struct mac_biba *subj, *obj;
2135 subj = SLOT(cred->cr_label);
2137 error = biba_subject_privileged(subj);
2141 if (vplabel == NULL)
2144 obj = SLOT(vplabel);
2145 if (!biba_high_effective(obj))
2152 biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2153 struct label *vplabel)
2155 struct mac_biba *subj, *obj;
2161 subj = SLOT(cred->cr_label);
2163 error = biba_subject_privileged(subj);
2167 if (vplabel == NULL)
2170 obj = SLOT(vplabel);
2171 if (!biba_high_effective(obj))
2178 biba_system_check_auditon(struct ucred *cred, int cmd)
2180 struct mac_biba *subj;
2186 subj = SLOT(cred->cr_label);
2188 error = biba_subject_privileged(subj);
2196 biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
2197 struct label *label)
2199 struct mac_biba *subj;
2205 subj = SLOT(cred->cr_label);
2207 error = biba_subject_privileged(subj);
2215 biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
2216 struct label *vplabel)
2218 struct mac_biba *subj, *obj;
2224 subj = SLOT(cred->cr_label);
2225 obj = SLOT(vplabel);
2227 error = biba_subject_privileged(subj);
2231 if (!biba_high_effective(obj))
2238 biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2239 void *arg1, int arg2, struct sysctl_req *req)
2241 struct mac_biba *subj;
2247 subj = SLOT(cred->cr_label);
2250 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
2251 * but also require privilege to change them.
2253 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
2254 if (!biba_subject_dominate_high(subj))
2257 error = biba_subject_privileged(subj);
2266 biba_sysvmsg_cleanup(struct label *msglabel)
2269 bzero(SLOT(msglabel), sizeof(struct mac_biba));
2273 biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2274 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
2276 struct mac_biba *source, *dest;
2278 /* Ignore the msgq label */
2279 source = SLOT(cred->cr_label);
2280 dest = SLOT(msglabel);
2282 biba_copy_effective(source, dest);
2286 biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
2287 struct label *msglabel)
2289 struct mac_biba *subj, *obj;
2294 subj = SLOT(cred->cr_label);
2295 obj = SLOT(msglabel);
2297 if (!biba_dominate_effective(obj, subj))
2304 biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
2305 struct label *msglabel)
2307 struct mac_biba *subj, *obj;
2312 subj = SLOT(cred->cr_label);
2313 obj = SLOT(msglabel);
2315 if (!biba_dominate_effective(subj, obj))
2322 biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
2323 struct label *msqklabel)
2325 struct mac_biba *subj, *obj;
2330 subj = SLOT(cred->cr_label);
2331 obj = SLOT(msqklabel);
2333 if (!biba_dominate_effective(obj, subj))
2340 biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
2341 struct label *msqklabel)
2343 struct mac_biba *subj, *obj;
2348 subj = SLOT(cred->cr_label);
2349 obj = SLOT(msqklabel);
2351 if (!biba_dominate_effective(subj, obj))
2358 biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
2359 struct label *msqklabel)
2361 struct mac_biba *subj, *obj;
2366 subj = SLOT(cred->cr_label);
2367 obj = SLOT(msqklabel);
2369 if (!biba_dominate_effective(obj, subj))
2376 biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
2377 struct label *msqklabel, int cmd)
2379 struct mac_biba *subj, *obj;
2384 subj = SLOT(cred->cr_label);
2385 obj = SLOT(msqklabel);
2390 if (!biba_dominate_effective(subj, obj))
2395 if (!biba_dominate_effective(obj, subj))
2407 biba_sysvmsq_cleanup(struct label *msqlabel)
2410 bzero(SLOT(msqlabel), sizeof(struct mac_biba));
2414 biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2415 struct label *msqlabel)
2417 struct mac_biba *source, *dest;
2419 source = SLOT(cred->cr_label);
2420 dest = SLOT(msqlabel);
2422 biba_copy_effective(source, dest);
2426 biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
2427 struct label *semaklabel, int cmd)
2429 struct mac_biba *subj, *obj;
2434 subj = SLOT(cred->cr_label);
2435 obj = SLOT(semaklabel);
2442 if (!biba_dominate_effective(subj, obj))
2452 if (!biba_dominate_effective(obj, subj))
2464 biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
2465 struct label *semaklabel)
2467 struct mac_biba *subj, *obj;
2472 subj = SLOT(cred->cr_label);
2473 obj = SLOT(semaklabel);
2475 if (!biba_dominate_effective(obj, subj))
2482 biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
2483 struct label *semaklabel, size_t accesstype)
2485 struct mac_biba *subj, *obj;
2490 subj = SLOT(cred->cr_label);
2491 obj = SLOT(semaklabel);
2493 if (accesstype & SEM_R)
2494 if (!biba_dominate_effective(obj, subj))
2497 if (accesstype & SEM_A)
2498 if (!biba_dominate_effective(subj, obj))
2505 biba_sysvsem_cleanup(struct label *semalabel)
2508 bzero(SLOT(semalabel), sizeof(struct mac_biba));
2512 biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
2513 struct label *semalabel)
2515 struct mac_biba *source, *dest;
2517 source = SLOT(cred->cr_label);
2518 dest = SLOT(semalabel);
2520 biba_copy_effective(source, dest);
2524 biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
2525 struct label *shmseglabel, int shmflg)
2527 struct mac_biba *subj, *obj;
2532 subj = SLOT(cred->cr_label);
2533 obj = SLOT(shmseglabel);
2535 if (!biba_dominate_effective(obj, subj))
2537 if ((shmflg & SHM_RDONLY) == 0) {
2538 if (!biba_dominate_effective(subj, obj))
2546 biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
2547 struct label *shmseglabel, int cmd)
2549 struct mac_biba *subj, *obj;
2554 subj = SLOT(cred->cr_label);
2555 obj = SLOT(shmseglabel);
2560 if (!biba_dominate_effective(subj, obj))
2566 if (!biba_dominate_effective(obj, subj))
2578 biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
2579 struct label *shmseglabel, int shmflg)
2581 struct mac_biba *subj, *obj;
2586 subj = SLOT(cred->cr_label);
2587 obj = SLOT(shmseglabel);
2589 if (!biba_dominate_effective(obj, subj))
2596 biba_sysvshm_cleanup(struct label *shmlabel)
2599 bzero(SLOT(shmlabel), sizeof(struct mac_biba));
2603 biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
2604 struct label *shmlabel)
2606 struct mac_biba *source, *dest;
2608 source = SLOT(cred->cr_label);
2609 dest = SLOT(shmlabel);
2611 biba_copy_effective(source, dest);
2615 biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
2616 struct vnode *vp, struct label *vplabel)
2618 struct mac_biba mb_temp, *source, *dest;
2621 source = SLOT(mplabel);
2622 dest = SLOT(vplabel);
2624 buflen = sizeof(mb_temp);
2625 bzero(&mb_temp, buflen);
2627 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
2628 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
2629 if (error == ENOATTR || error == EOPNOTSUPP) {
2630 /* Fall back to the mntlabel. */
2631 biba_copy_effective(source, dest);
2636 if (buflen != sizeof(mb_temp)) {
2637 printf("biba_vnode_associate_extattr: bad size %d\n",
2641 if (biba_valid(&mb_temp) != 0) {
2642 printf("biba_vnode_associate_extattr: invalid\n");
2645 if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
2646 MAC_BIBA_FLAG_EFFECTIVE) {
2647 printf("biba_vnode_associate_extattr: not effective\n");
2651 biba_copy_effective(&mb_temp, dest);
2656 biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
2657 struct vnode *vp, struct label *vplabel)
2659 struct mac_biba *source, *dest;
2661 source = SLOT(mplabel);
2662 dest = SLOT(vplabel);
2664 biba_copy_effective(source, dest);
2668 biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2669 struct label *dvplabel)
2671 struct mac_biba *subj, *obj;
2676 subj = SLOT(cred->cr_label);
2677 obj = SLOT(dvplabel);
2679 if (!biba_dominate_effective(obj, subj))
2686 biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2687 struct label *dvplabel)
2689 struct mac_biba *subj, *obj;
2694 subj = SLOT(cred->cr_label);
2695 obj = SLOT(dvplabel);
2697 if (!biba_dominate_effective(obj, subj))
2704 biba_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2705 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2707 struct mac_biba *subj, *obj;
2712 subj = SLOT(cred->cr_label);
2713 obj = SLOT(dvplabel);
2715 if (!biba_dominate_effective(subj, obj))
2722 biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2723 struct label *vplabel, acl_type_t type)
2725 struct mac_biba *subj, *obj;
2730 subj = SLOT(cred->cr_label);
2731 obj = SLOT(vplabel);
2733 if (!biba_dominate_effective(subj, obj))
2740 biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2741 struct label *vplabel, int attrnamespace, const char *name)
2743 struct mac_biba *subj, *obj;
2748 subj = SLOT(cred->cr_label);
2749 obj = SLOT(vplabel);
2751 if (!biba_dominate_effective(subj, obj))
2758 biba_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2759 struct label *vplabel, struct image_params *imgp,
2760 struct label *execlabel)
2762 struct mac_biba *subj, *obj, *exec;
2765 if (execlabel != NULL) {
2767 * We currently don't permit labels to be changed at
2768 * exec-time as part of Biba, so disallow non-NULL Biba label
2769 * elements in the execlabel.
2771 exec = SLOT(execlabel);
2772 error = biba_atmostflags(exec, 0);
2780 subj = SLOT(cred->cr_label);
2781 obj = SLOT(vplabel);
2783 if (!biba_dominate_effective(obj, subj))
2790 biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2791 struct label *vplabel, acl_type_t type)
2793 struct mac_biba *subj, *obj;
2798 subj = SLOT(cred->cr_label);
2799 obj = SLOT(vplabel);
2801 if (!biba_dominate_effective(obj, subj))
2808 biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
2809 struct label *vplabel, int attrnamespace, const char *name)
2811 struct mac_biba *subj, *obj;
2816 subj = SLOT(cred->cr_label);
2817 obj = SLOT(vplabel);
2819 if (!biba_dominate_effective(obj, subj))
2826 biba_vnode_check_link(struct ucred *cred, struct vnode *dvp,
2827 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2828 struct componentname *cnp)
2830 struct mac_biba *subj, *obj;
2835 subj = SLOT(cred->cr_label);
2836 obj = SLOT(dvplabel);
2838 if (!biba_dominate_effective(subj, obj))
2841 obj = SLOT(vplabel);
2843 if (!biba_dominate_effective(subj, obj))
2850 biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
2851 struct label *vplabel, int attrnamespace)
2853 struct mac_biba *subj, *obj;
2858 subj = SLOT(cred->cr_label);
2859 obj = SLOT(vplabel);
2861 if (!biba_dominate_effective(obj, subj))
2868 biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
2869 struct label *dvplabel, struct componentname *cnp)
2871 struct mac_biba *subj, *obj;
2876 subj = SLOT(cred->cr_label);
2877 obj = SLOT(dvplabel);
2879 if (!biba_dominate_effective(obj, subj))
2886 biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
2887 struct label *vplabel, int prot, int flags)
2889 struct mac_biba *subj, *obj;
2892 * Rely on the use of open()-time protections to handle
2893 * non-revocation cases.
2895 if (!biba_enabled || !revocation_enabled)
2898 subj = SLOT(cred->cr_label);
2899 obj = SLOT(vplabel);
2901 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
2902 if (!biba_dominate_effective(obj, subj))
2905 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
2906 if (!biba_dominate_effective(subj, obj))
2914 biba_vnode_check_open(struct ucred *cred, struct vnode *vp,
2915 struct label *vplabel, accmode_t accmode)
2917 struct mac_biba *subj, *obj;
2922 subj = SLOT(cred->cr_label);
2923 obj = SLOT(vplabel);
2925 /* XXX privilege override for admin? */
2926 if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
2927 if (!biba_dominate_effective(obj, subj))
2930 if (accmode & VMODIFY_PERMS) {
2931 if (!biba_dominate_effective(subj, obj))
2939 biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
2940 struct vnode *vp, struct label *vplabel)
2942 struct mac_biba *subj, *obj;
2944 if (!biba_enabled || !revocation_enabled)
2947 subj = SLOT(active_cred->cr_label);
2948 obj = SLOT(vplabel);
2950 if (!biba_dominate_effective(obj, subj))
2957 biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
2958 struct vnode *vp, struct label *vplabel)
2960 struct mac_biba *subj, *obj;
2962 if (!biba_enabled || !revocation_enabled)
2965 subj = SLOT(active_cred->cr_label);
2966 obj = SLOT(vplabel);
2968 if (!biba_dominate_effective(obj, subj))
2975 biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
2976 struct label *dvplabel)
2978 struct mac_biba *subj, *obj;
2983 subj = SLOT(cred->cr_label);
2984 obj = SLOT(dvplabel);
2986 if (!biba_dominate_effective(obj, subj))
2993 biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
2994 struct label *vplabel)
2996 struct mac_biba *subj, *obj;
3001 subj = SLOT(cred->cr_label);
3002 obj = SLOT(vplabel);
3004 if (!biba_dominate_effective(obj, subj))
3011 biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
3012 struct label *vplabel, struct label *newlabel)
3014 struct mac_biba *old, *new, *subj;
3017 old = SLOT(vplabel);
3018 new = SLOT(newlabel);
3019 subj = SLOT(cred->cr_label);
3022 * If there is a Biba label update for the vnode, it must be a
3025 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
3030 * To perform a relabel of the vnode (Biba label or not), Biba must
3031 * authorize the relabel.
3033 if (!biba_effective_in_range(old, subj))
3037 * If the Biba label is to be changed, authorize as appropriate.
3039 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
3041 * To change the Biba label on a vnode, the new vnode label
3042 * must be in the subject range.
3044 if (!biba_effective_in_range(new, subj))
3048 * To change the Biba label on the vnode to be EQUAL, the
3049 * subject must have appropriate privilege.
3051 if (biba_contains_equal(new)) {
3052 error = biba_subject_privileged(subj);
3062 biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
3063 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3064 struct componentname *cnp)
3066 struct mac_biba *subj, *obj;
3071 subj = SLOT(cred->cr_label);
3072 obj = SLOT(dvplabel);
3074 if (!biba_dominate_effective(subj, obj))
3077 obj = SLOT(vplabel);
3079 if (!biba_dominate_effective(subj, obj))
3086 biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
3087 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3088 int samedir, struct componentname *cnp)
3090 struct mac_biba *subj, *obj;
3095 subj = SLOT(cred->cr_label);
3096 obj = SLOT(dvplabel);
3098 if (!biba_dominate_effective(subj, obj))
3102 obj = SLOT(vplabel);
3104 if (!biba_dominate_effective(subj, obj))
3112 biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
3113 struct label *vplabel)
3115 struct mac_biba *subj, *obj;
3120 subj = SLOT(cred->cr_label);
3121 obj = SLOT(vplabel);
3123 if (!biba_dominate_effective(subj, obj))
3130 biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
3131 struct label *vplabel, acl_type_t type, struct acl *acl)
3133 struct mac_biba *subj, *obj;
3138 subj = SLOT(cred->cr_label);
3139 obj = SLOT(vplabel);
3141 if (!biba_dominate_effective(subj, obj))
3148 biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
3149 struct label *vplabel, int attrnamespace, const char *name)
3151 struct mac_biba *subj, *obj;
3156 subj = SLOT(cred->cr_label);
3157 obj = SLOT(vplabel);
3159 if (!biba_dominate_effective(subj, obj))
3162 /* XXX: protect the MAC EA in a special way? */
3168 biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
3169 struct label *vplabel, u_long flags)
3171 struct mac_biba *subj, *obj;
3176 subj = SLOT(cred->cr_label);
3177 obj = SLOT(vplabel);
3179 if (!biba_dominate_effective(subj, obj))
3186 biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
3187 struct label *vplabel, mode_t mode)
3189 struct mac_biba *subj, *obj;
3194 subj = SLOT(cred->cr_label);
3195 obj = SLOT(vplabel);
3197 if (!biba_dominate_effective(subj, obj))
3204 biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
3205 struct label *vplabel, uid_t uid, gid_t gid)
3207 struct mac_biba *subj, *obj;
3212 subj = SLOT(cred->cr_label);
3213 obj = SLOT(vplabel);
3215 if (!biba_dominate_effective(subj, obj))
3222 biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
3223 struct label *vplabel, struct timespec atime, struct timespec mtime)
3225 struct mac_biba *subj, *obj;
3230 subj = SLOT(cred->cr_label);
3231 obj = SLOT(vplabel);
3233 if (!biba_dominate_effective(subj, obj))
3240 biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
3241 struct vnode *vp, struct label *vplabel)
3243 struct mac_biba *subj, *obj;
3248 subj = SLOT(active_cred->cr_label);
3249 obj = SLOT(vplabel);
3251 if (!biba_dominate_effective(obj, subj))
3258 biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
3259 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
3260 struct componentname *cnp)
3262 struct mac_biba *subj, *obj;
3267 subj = SLOT(cred->cr_label);
3268 obj = SLOT(dvplabel);
3270 if (!biba_dominate_effective(subj, obj))
3273 obj = SLOT(vplabel);
3275 if (!biba_dominate_effective(subj, obj))
3282 biba_vnode_check_write(struct ucred *active_cred,
3283 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
3285 struct mac_biba *subj, *obj;
3287 if (!biba_enabled || !revocation_enabled)
3290 subj = SLOT(active_cred->cr_label);
3291 obj = SLOT(vplabel);
3293 if (!biba_dominate_effective(subj, obj))
3300 biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
3301 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
3302 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
3304 struct mac_biba *source, *dest, mb_temp;
3308 buflen = sizeof(mb_temp);
3309 bzero(&mb_temp, buflen);
3311 source = SLOT(cred->cr_label);
3312 dest = SLOT(vplabel);
3313 biba_copy_effective(source, &mb_temp);
3315 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3316 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3318 biba_copy_effective(source, dest);
3323 biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
3324 struct label *vplabel, struct label *newlabel)
3326 struct mac_biba *source, *dest;
3328 source = SLOT(newlabel);
3329 dest = SLOT(vplabel);
3331 biba_copy(source, dest);
3335 biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
3336 struct label *vplabel, struct label *intlabel)
3338 struct mac_biba *source, mb_temp;
3342 buflen = sizeof(mb_temp);
3343 bzero(&mb_temp, buflen);
3345 source = SLOT(intlabel);
3346 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
3349 biba_copy_effective(source, &mb_temp);
3351 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
3352 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
3356 static struct mac_policy_ops mac_biba_ops =
3358 .mpo_init = biba_init,
3360 .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
3361 .mpo_bpfdesc_create = biba_bpfdesc_create,
3362 .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
3363 .mpo_bpfdesc_destroy_label = biba_destroy_label,
3364 .mpo_bpfdesc_init_label = biba_init_label,
3366 .mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
3367 .mpo_cred_check_relabel = biba_cred_check_relabel,
3368 .mpo_cred_check_visible = biba_cred_check_visible,
3369 .mpo_cred_copy_label = biba_copy_label,
3370 .mpo_cred_create_init = biba_cred_create_init,
3371 .mpo_cred_create_swapper = biba_cred_create_swapper,
3372 .mpo_cred_destroy_label = biba_destroy_label,
3373 .mpo_cred_externalize_label = biba_externalize_label,
3374 .mpo_cred_init_label = biba_init_label,
3375 .mpo_cred_internalize_label = biba_internalize_label,
3376 .mpo_cred_relabel = biba_cred_relabel,
3378 .mpo_devfs_create_device = biba_devfs_create_device,
3379 .mpo_devfs_create_directory = biba_devfs_create_directory,
3380 .mpo_devfs_create_symlink = biba_devfs_create_symlink,
3381 .mpo_devfs_destroy_label = biba_destroy_label,
3382 .mpo_devfs_init_label = biba_init_label,
3383 .mpo_devfs_update = biba_devfs_update,
3384 .mpo_devfs_vnode_associate = biba_devfs_vnode_associate,
3386 .mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
3387 .mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
3388 .mpo_ifnet_copy_label = biba_copy_label,
3389 .mpo_ifnet_create = biba_ifnet_create,
3390 .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
3391 .mpo_ifnet_destroy_label = biba_destroy_label,
3392 .mpo_ifnet_externalize_label = biba_externalize_label,
3393 .mpo_ifnet_init_label = biba_init_label,
3394 .mpo_ifnet_internalize_label = biba_internalize_label,
3395 .mpo_ifnet_relabel = biba_ifnet_relabel,
3397 .mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
3398 .mpo_inpcb_check_visible = biba_inpcb_check_visible,
3399 .mpo_inpcb_create = biba_inpcb_create,
3400 .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
3401 .mpo_inpcb_destroy_label = biba_destroy_label,
3402 .mpo_inpcb_init_label = biba_init_label_waitcheck,
3403 .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
3405 .mpo_ip6q_create = biba_ip6q_create,
3406 .mpo_ip6q_destroy_label = biba_destroy_label,
3407 .mpo_ip6q_init_label = biba_init_label_waitcheck,
3408 .mpo_ip6q_match = biba_ip6q_match,
3409 .mpo_ip6q_reassemble = biba_ip6q_reassemble,
3410 .mpo_ip6q_update = biba_ip6q_update,
3412 .mpo_ipq_create = biba_ipq_create,
3413 .mpo_ipq_destroy_label = biba_destroy_label,
3414 .mpo_ipq_init_label = biba_init_label_waitcheck,
3415 .mpo_ipq_match = biba_ipq_match,
3416 .mpo_ipq_reassemble = biba_ipq_reassemble,
3417 .mpo_ipq_update = biba_ipq_update,
3419 .mpo_kld_check_load = biba_kld_check_load,
3421 .mpo_mbuf_copy_label = biba_copy_label,
3422 .mpo_mbuf_destroy_label = biba_destroy_label,
3423 .mpo_mbuf_init_label = biba_init_label_waitcheck,
3425 .mpo_mount_check_stat = biba_mount_check_stat,
3426 .mpo_mount_create = biba_mount_create,
3427 .mpo_mount_destroy_label = biba_destroy_label,
3428 .mpo_mount_init_label = biba_init_label,
3430 .mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
3432 .mpo_netinet_arp_send = biba_netinet_arp_send,
3433 .mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
3434 .mpo_netinet_firewall_send = biba_netinet_firewall_send,
3435 .mpo_netinet_fragment = biba_netinet_fragment,
3436 .mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
3437 .mpo_netinet_igmp_send = biba_netinet_igmp_send,
3439 .mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
3441 .mpo_pipe_check_ioctl = biba_pipe_check_ioctl,
3442 .mpo_pipe_check_poll = biba_pipe_check_poll,
3443 .mpo_pipe_check_read = biba_pipe_check_read,
3444 .mpo_pipe_check_relabel = biba_pipe_check_relabel,
3445 .mpo_pipe_check_stat = biba_pipe_check_stat,
3446 .mpo_pipe_check_write = biba_pipe_check_write,
3447 .mpo_pipe_copy_label = biba_copy_label,
3448 .mpo_pipe_create = biba_pipe_create,
3449 .mpo_pipe_destroy_label = biba_destroy_label,
3450 .mpo_pipe_externalize_label = biba_externalize_label,
3451 .mpo_pipe_init_label = biba_init_label,
3452 .mpo_pipe_internalize_label = biba_internalize_label,
3453 .mpo_pipe_relabel = biba_pipe_relabel,
3455 .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
3456 .mpo_posixsem_check_open = biba_posixsem_check_openunlink,
3457 .mpo_posixsem_check_post = biba_posixsem_check_write,
3458 .mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
3459 .mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
3460 .mpo_posixsem_check_wait = biba_posixsem_check_write,
3461 .mpo_posixsem_create = biba_posixsem_create,
3462 .mpo_posixsem_destroy_label = biba_destroy_label,
3463 .mpo_posixsem_init_label = biba_init_label,
3465 .mpo_priv_check = biba_priv_check,
3467 .mpo_proc_check_debug = biba_proc_check_debug,
3468 .mpo_proc_check_sched = biba_proc_check_sched,
3469 .mpo_proc_check_signal = biba_proc_check_signal,
3471 .mpo_socket_check_deliver = biba_socket_check_deliver,
3472 .mpo_socket_check_relabel = biba_socket_check_relabel,
3473 .mpo_socket_check_visible = biba_socket_check_visible,
3474 .mpo_socket_copy_label = biba_copy_label,
3475 .mpo_socket_create = biba_socket_create,
3476 .mpo_socket_create_mbuf = biba_socket_create_mbuf,
3477 .mpo_socket_destroy_label = biba_destroy_label,
3478 .mpo_socket_externalize_label = biba_externalize_label,
3479 .mpo_socket_init_label = biba_init_label_waitcheck,
3480 .mpo_socket_internalize_label = biba_internalize_label,
3481 .mpo_socket_newconn = biba_socket_newconn,
3482 .mpo_socket_relabel = biba_socket_relabel,
3484 .mpo_socketpeer_destroy_label = biba_destroy_label,
3485 .mpo_socketpeer_externalize_label = biba_externalize_label,
3486 .mpo_socketpeer_init_label = biba_init_label_waitcheck,
3487 .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
3488 .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
3490 .mpo_syncache_create = biba_syncache_create,
3491 .mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
3492 .mpo_syncache_destroy_label = biba_destroy_label,
3493 .mpo_syncache_init_label = biba_init_label_waitcheck,
3495 .mpo_system_check_acct = biba_system_check_acct,
3496 .mpo_system_check_auditctl = biba_system_check_auditctl,
3497 .mpo_system_check_auditon = biba_system_check_auditon,
3498 .mpo_system_check_swapoff = biba_system_check_swapoff,
3499 .mpo_system_check_swapon = biba_system_check_swapon,
3500 .mpo_system_check_sysctl = biba_system_check_sysctl,
3502 .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
3503 .mpo_sysvmsg_create = biba_sysvmsg_create,
3504 .mpo_sysvmsg_destroy_label = biba_destroy_label,
3505 .mpo_sysvmsg_init_label = biba_init_label,
3507 .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
3508 .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
3509 .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
3510 .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
3511 .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
3512 .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
3513 .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
3514 .mpo_sysvmsq_create = biba_sysvmsq_create,
3515 .mpo_sysvmsq_destroy_label = biba_destroy_label,
3516 .mpo_sysvmsq_init_label = biba_init_label,
3518 .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
3519 .mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
3520 .mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
3521 .mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
3522 .mpo_sysvsem_create = biba_sysvsem_create,
3523 .mpo_sysvsem_destroy_label = biba_destroy_label,
3524 .mpo_sysvsem_init_label = biba_init_label,
3526 .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
3527 .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
3528 .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
3529 .mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
3530 .mpo_sysvshm_create = biba_sysvshm_create,
3531 .mpo_sysvshm_destroy_label = biba_destroy_label,
3532 .mpo_sysvshm_init_label = biba_init_label,
3534 .mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
3535 .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
3536 .mpo_vnode_check_access = biba_vnode_check_open,
3537 .mpo_vnode_check_chdir = biba_vnode_check_chdir,
3538 .mpo_vnode_check_chroot = biba_vnode_check_chroot,
3539 .mpo_vnode_check_create = biba_vnode_check_create,
3540 .mpo_vnode_check_deleteacl = biba_vnode_check_deleteacl,
3541 .mpo_vnode_check_deleteextattr = biba_vnode_check_deleteextattr,
3542 .mpo_vnode_check_exec = biba_vnode_check_exec,
3543 .mpo_vnode_check_getacl = biba_vnode_check_getacl,
3544 .mpo_vnode_check_getextattr = biba_vnode_check_getextattr,
3545 .mpo_vnode_check_link = biba_vnode_check_link,
3546 .mpo_vnode_check_listextattr = biba_vnode_check_listextattr,
3547 .mpo_vnode_check_lookup = biba_vnode_check_lookup,
3548 .mpo_vnode_check_mmap = biba_vnode_check_mmap,
3549 .mpo_vnode_check_open = biba_vnode_check_open,
3550 .mpo_vnode_check_poll = biba_vnode_check_poll,
3551 .mpo_vnode_check_read = biba_vnode_check_read,
3552 .mpo_vnode_check_readdir = biba_vnode_check_readdir,
3553 .mpo_vnode_check_readlink = biba_vnode_check_readlink,
3554 .mpo_vnode_check_relabel = biba_vnode_check_relabel,
3555 .mpo_vnode_check_rename_from = biba_vnode_check_rename_from,
3556 .mpo_vnode_check_rename_to = biba_vnode_check_rename_to,
3557 .mpo_vnode_check_revoke = biba_vnode_check_revoke,
3558 .mpo_vnode_check_setacl = biba_vnode_check_setacl,
3559 .mpo_vnode_check_setextattr = biba_vnode_check_setextattr,
3560 .mpo_vnode_check_setflags = biba_vnode_check_setflags,
3561 .mpo_vnode_check_setmode = biba_vnode_check_setmode,
3562 .mpo_vnode_check_setowner = biba_vnode_check_setowner,
3563 .mpo_vnode_check_setutimes = biba_vnode_check_setutimes,
3564 .mpo_vnode_check_stat = biba_vnode_check_stat,
3565 .mpo_vnode_check_unlink = biba_vnode_check_unlink,
3566 .mpo_vnode_check_write = biba_vnode_check_write,
3567 .mpo_vnode_create_extattr = biba_vnode_create_extattr,
3568 .mpo_vnode_copy_label = biba_copy_label,
3569 .mpo_vnode_destroy_label = biba_destroy_label,
3570 .mpo_vnode_externalize_label = biba_externalize_label,
3571 .mpo_vnode_init_label = biba_init_label,
3572 .mpo_vnode_internalize_label = biba_internalize_label,
3573 .mpo_vnode_relabel = biba_vnode_relabel,
3574 .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
3577 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
3578 MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);