2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by Network
9 * Associates Laboratories, the Security Research Division of Network
10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
11 * as part of the DARPA CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
38 #include <sys/types.h>
39 #include <sys/queue.h>
40 #include <sys/sysctl.h>
52 static int internal_initialized;
55 * Maintain a list of default label preparations for various object
56 * types. Each name will appear only once in the list.
58 * XXXMAC: Not thread-safe.
60 static LIST_HEAD(, label_default) label_default_head;
61 struct label_default {
64 LIST_ENTRY(label_default) ld_entries;
68 mac_destroy_labels(void)
70 struct label_default *ld;
72 while ((ld = LIST_FIRST(&label_default_head))) {
75 LIST_REMOVE(ld, ld_entries);
81 mac_destroy_internal(void)
86 internal_initialized = 0;
90 mac_add_type(const char *name, const char *labels)
92 struct label_default *ld, *ld_new;
93 char *name_dup, *labels_dup;
96 * Speculatively allocate all the memory now to avoid allocating
97 * later when we will someday hold a mutex.
99 name_dup = strdup(name);
100 if (name_dup == NULL) {
104 labels_dup = strdup(labels);
105 if (labels_dup == NULL) {
110 ld_new = malloc(sizeof(*ld));
111 if (ld_new == NULL) {
119 * If the type is already present, replace the current entry
120 * rather than add a new instance.
122 for (ld = LIST_FIRST(&label_default_head); ld != NULL;
123 ld = LIST_NEXT(ld, ld_entries)) {
124 if (strcmp(name, ld->ld_name) == 0)
130 ld->ld_labels = labels_dup;
134 ld->ld_name = name_dup;
135 ld->ld_labels = labels_dup;
141 LIST_INSERT_HEAD(&label_default_head, ld, ld_entries);
144 if (name_dup != NULL)
146 if (labels_dup != NULL)
155 next_token(char **string)
159 token = strsep(string, " \t");
160 while (token != NULL && *token == '\0')
161 token = strsep(string, " \t");
167 mac_init_internal(int ignore_errors)
169 const char *filename;
176 LIST_INIT(&label_default_head);
178 if (!issetugid() && getenv("MAC_CONFFILE") != NULL)
179 filename = getenv("MAC_CONFFILE");
181 filename = MAC_CONFFILE;
182 file = fopen(filename, "r");
186 while (fgets(line, LINE_MAX, file)) {
187 char *comment, *parse, *statement;
189 if (line[strlen(line)-1] == '\n')
190 line[strlen(line)-1] = '\0';
199 /* Remove any comment. */
201 parse = strsep(&comment, "#");
203 /* Blank lines OK. */
204 statement = next_token(&parse);
205 if (statement == NULL)
208 if (strcmp(statement, "default_labels") == 0) {
211 name = next_token(&parse);
212 labels = next_token(&parse);
213 if (name == NULL || labels == NULL ||
214 next_token(&parse) != NULL) {
222 if (mac_add_type(name, labels) == -1) {
228 } else if (strcmp(statement, "default_ifnet_labels") == 0 ||
229 strcmp(statement, "default_file_labels") == 0 ||
230 strcmp(statement, "default_process_labels") == 0) {
233 if (strcmp(statement, "default_ifnet_labels") == 0)
235 else if (strcmp(statement, "default_file_labels") == 0)
237 else if (strcmp(statement, "default_process_labels") ==
241 labels = next_token(&parse);
242 if (labels == NULL || next_token(&parse) != NULL) {
250 if (mac_add_type(type, labels) == -1) {
267 internal_initialized = 1;
271 mac_destroy_internal();
276 mac_maybe_init_internal(void)
279 if (!internal_initialized)
280 return (mac_init_internal(1));
289 if (internal_initialized)
290 mac_destroy_internal();
291 return (mac_init_internal(0));
295 mac_free(struct mac *mac)
298 if (mac->m_string != NULL)
306 mac_from_text(struct mac **mac, const char *text)
309 *mac = (struct mac *) malloc(sizeof(**mac));
313 (*mac)->m_string = strdup(text);
314 if ((*mac)->m_string == NULL) {
320 (*mac)->m_buflen = strlen((*mac)->m_string)+1;
326 mac_to_text(struct mac *mac, char **text)
329 *text = strdup(mac->m_string);
336 mac_prepare(struct mac **mac, const char *elements)
339 if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN)
342 *mac = (struct mac *) malloc(sizeof(**mac));
346 (*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN);
347 if ((*mac)->m_string == NULL) {
353 strcpy((*mac)->m_string, elements);
354 (*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN;
360 mac_prepare_type(struct mac **mac, const char *name)
362 struct label_default *ld;
365 error = mac_maybe_init_internal();
369 for (ld = LIST_FIRST(&label_default_head); ld != NULL;
370 ld = LIST_NEXT(ld, ld_entries)) {
371 if (strcmp(name, ld->ld_name) == 0)
372 return (mac_prepare(mac, ld->ld_labels));
376 return (-1); /* XXXMAC: ENOLABEL */
380 mac_prepare_ifnet_label(struct mac **mac)
383 return (mac_prepare_type(mac, "ifnet"));
387 mac_prepare_file_label(struct mac **mac)
390 return (mac_prepare_type(mac, "file"));
394 mac_prepare_packet_label(struct mac **mac)
397 return (mac_prepare_type(mac, "packet"));
401 mac_prepare_process_label(struct mac **mac)
404 return (mac_prepare_type(mac, "process"));
408 * Simply test whether the TrustedBSD/MAC MIB tree is present; if so,
409 * return 1 to indicate that the system has MAC enabled overall or for
413 mac_is_present(const char *policyname)
420 if (policyname != NULL) {
421 if (policyname[strcspn(policyname, ".=")] != '\0') {
425 mibname = malloc(sizeof("security.mac.") - 1 +
426 strlen(policyname) + sizeof(".enabled"));
429 strcpy(mibname, "security.mac.");
430 strcat(mibname, policyname);
431 strcat(mibname, ".enabled");
433 error = sysctlnametomib(mibname, mib, &siz);
437 error = sysctlnametomib("security.mac", mib, &siz);
projects / FreeBSD / releng / 9.2.git / blob