2 * Copyright (c) 2002-2005 Networks Associates Technology, Inc.
5 * This software was developed for the FreeBSD Project by Network Associates
6 * Laboratories, the Security Research Division of Network Associates, Inc.
7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 * DARPA CHATS research program.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include <sys/param.h>
34 #include <sys/errno.h>
37 #include <sys/sysctl.h>
38 #include <sys/ucred.h>
40 #include <sys/mount.h>
42 #include <security/mac_bsdextended/mac_bsdextended.h>
53 * Text format for rules: rules contain subject and object elements, mode.
54 * The total form is "subject [s_element] object [o_element] mode [mode]".
55 * At least * one of a uid or gid entry must be present; both may also be
59 #define MIB "security.mac.bsdextended"
62 bsde_rule_to_string(struct mac_bsdextended_rule *rule, char *buf, size_t buflen)
66 struct statfs *mntbuf;
67 char *cur, type[sizeof(rule->mbr_object.mbo_type) * CHAR_BIT + 1];
69 int anymode, unknownmode, truncated, numfs, i, notdone;
75 len = snprintf(cur, left, "subject ");
76 if (len < 0 || len > left)
80 if (rule->mbr_subject.mbs_flags) {
81 if (rule->mbr_subject.mbs_neg == MBS_ALL_FLAGS) {
82 len = snprintf(cur, left, "not ");
83 if (len < 0 || len > left)
92 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_UID_DEFINED)) {
93 len = snprintf(cur, left, "! ");
94 if (len < 0 || len > left)
99 if (rule->mbr_subject.mbs_flags & MBO_UID_DEFINED) {
100 pwd = getpwuid(rule->mbr_subject.mbs_uid_min);
102 len = snprintf(cur, left, "uid %s",
104 if (len < 0 || len > left)
109 len = snprintf(cur, left, "uid %u",
110 rule->mbr_subject.mbs_uid_min);
111 if (len < 0 || len > left)
116 if (rule->mbr_subject.mbs_uid_min !=
117 rule->mbr_subject.mbs_uid_max) {
118 pwd = getpwuid(rule->mbr_subject.mbs_uid_max);
120 len = snprintf(cur, left, ":%s ",
122 if (len < 0 || len > left)
127 len = snprintf(cur, left, ":%u ",
128 rule->mbr_subject.mbs_uid_max);
129 if (len < 0 || len > left)
135 len = snprintf(cur, left, " ");
136 if (len < 0 || len > left)
142 if (!notdone && (rule->mbr_subject.mbs_neg & MBO_GID_DEFINED)) {
143 len = snprintf(cur, left, "! ");
144 if (len < 0 || len > left)
149 if (rule->mbr_subject.mbs_flags & MBO_GID_DEFINED) {
150 grp = getgrgid(rule->mbr_subject.mbs_gid_min);
152 len = snprintf(cur, left, "gid %s",
154 if (len < 0 || len > left)
159 len = snprintf(cur, left, "gid %u",
160 rule->mbr_subject.mbs_gid_min);
161 if (len < 0 || len > left)
166 if (rule->mbr_subject.mbs_gid_min !=
167 rule->mbr_subject.mbs_gid_max) {
168 grp = getgrgid(rule->mbr_subject.mbs_gid_max);
170 len = snprintf(cur, left, ":%s ",
172 if (len < 0 || len > left)
177 len = snprintf(cur, left, ":%u ",
178 rule->mbr_subject.mbs_gid_max);
179 if (len < 0 || len > left)
185 len = snprintf(cur, left, " ");
186 if (len < 0 || len > left)
192 if (!notdone && (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)) {
193 len = snprintf(cur, left, "! ");
194 if (len < 0 || len > left)
199 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
200 len = snprintf(cur, left, "jailid %d ",
201 rule->mbr_subject.mbs_prison);
202 if (len < 0 || len > left)
209 len = snprintf(cur, left, "object ");
210 if (len < 0 || len > left)
214 if (rule->mbr_object.mbo_flags) {
215 if (rule->mbr_object.mbo_neg == MBO_ALL_FLAGS) {
216 len = snprintf(cur, left, "not ");
217 if (len < 0 || len > left)
226 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)) {
227 len = snprintf(cur, left, "! ");
228 if (len < 0 || len > left)
233 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
234 pwd = getpwuid(rule->mbr_object.mbo_uid_min);
236 len = snprintf(cur, left, "uid %s",
238 if (len < 0 || len > left)
243 len = snprintf(cur, left, "uid %u",
244 rule->mbr_object.mbo_uid_min);
245 if (len < 0 || len > left)
250 if (rule->mbr_object.mbo_uid_min !=
251 rule->mbr_object.mbo_uid_max) {
252 pwd = getpwuid(rule->mbr_object.mbo_uid_max);
254 len = snprintf(cur, left, ":%s ",
256 if (len < 0 || len > left)
261 len = snprintf(cur, left, ":%u ",
262 rule->mbr_object.mbo_uid_max);
263 if (len < 0 || len > left)
269 len = snprintf(cur, left, " ");
270 if (len < 0 || len > left)
276 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)) {
277 len = snprintf(cur, left, "! ");
278 if (len < 0 || len > left)
283 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
284 grp = getgrgid(rule->mbr_object.mbo_gid_min);
286 len = snprintf(cur, left, "gid %s",
288 if (len < 0 || len > left)
293 len = snprintf(cur, left, "gid %u",
294 rule->mbr_object.mbo_gid_min);
295 if (len < 0 || len > left)
300 if (rule->mbr_object.mbo_gid_min !=
301 rule->mbr_object.mbo_gid_max) {
302 grp = getgrgid(rule->mbr_object.mbo_gid_max);
304 len = snprintf(cur, left, ":%s ",
306 if (len < 0 || len > left)
311 len = snprintf(cur, left, ":%u ",
312 rule->mbr_object.mbo_gid_max);
313 if (len < 0 || len > left)
319 len = snprintf(cur, left, " ");
320 if (len < 0 || len > left)
326 if (!notdone && (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)) {
327 len = snprintf(cur, left, "! ");
328 if (len < 0 || len > left)
333 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
334 numfs = getmntinfo(&mntbuf, MNT_NOWAIT);
335 for (i = 0; i < numfs; i++)
336 if (memcmp(&(rule->mbr_object.mbo_fsid),
338 sizeof(mntbuf[i].f_fsid)) == 0)
340 len = snprintf(cur, left, "filesys %s ",
341 i == numfs ? "???" : mntbuf[i].f_mntonname);
342 if (len < 0 || len > left)
347 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SUID)) {
348 len = snprintf(cur, left, "! ");
349 if (len < 0 || len > left)
354 if (rule->mbr_object.mbo_flags & MBO_SUID) {
355 len = snprintf(cur, left, "suid ");
356 if (len < 0 || len > left)
361 if (!notdone && (rule->mbr_object.mbo_neg & MBO_SGID)) {
362 len = snprintf(cur, left, "! ");
363 if (len < 0 || len > left)
368 if (rule->mbr_object.mbo_flags & MBO_SGID) {
369 len = snprintf(cur, left, "sgid ");
370 if (len < 0 || len > left)
375 if (!notdone && (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)) {
376 len = snprintf(cur, left, "! ");
377 if (len < 0 || len > left)
382 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
383 len = snprintf(cur, left, "uid_of_subject ");
384 if (len < 0 || len > left)
389 if (!notdone && (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)) {
390 len = snprintf(cur, left, "! ");
391 if (len < 0 || len > left)
396 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
397 len = snprintf(cur, left, "gid_of_subject ");
398 if (len < 0 || len > left)
403 if (!notdone && (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)) {
404 len = snprintf(cur, left, "! ");
405 if (len < 0 || len > left)
410 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
412 if (rule->mbr_object.mbo_type & MBO_TYPE_REG)
414 if (rule->mbr_object.mbo_type & MBO_TYPE_DIR)
416 if (rule->mbr_object.mbo_type & MBO_TYPE_BLK)
418 if (rule->mbr_object.mbo_type & MBO_TYPE_CHR)
420 if (rule->mbr_object.mbo_type & MBO_TYPE_LNK)
422 if (rule->mbr_object.mbo_type & MBO_TYPE_SOCK)
424 if (rule->mbr_object.mbo_type & MBO_TYPE_FIFO)
426 if (rule->mbr_object.mbo_type == MBO_ALL_TYPE) {
431 len = snprintf(cur, left, "type %s ", type);
432 if (len < 0 || len > left)
439 len = snprintf(cur, left, "mode ");
440 if (len < 0 || len > left)
445 anymode = (rule->mbr_mode & MBI_ALLPERM);
446 unknownmode = (rule->mbr_mode & ~MBI_ALLPERM);
448 if (rule->mbr_mode & MBI_ADMIN) {
449 len = snprintf(cur, left, "a");
450 if (len < 0 || len > left)
456 if (rule->mbr_mode & MBI_READ) {
457 len = snprintf(cur, left, "r");
458 if (len < 0 || len > left)
464 if (rule->mbr_mode & MBI_STAT) {
465 len = snprintf(cur, left, "s");
466 if (len < 0 || len > left)
472 if (rule->mbr_mode & MBI_WRITE) {
473 len = snprintf(cur, left, "w");
474 if (len < 0 || len > left)
480 if (rule->mbr_mode & MBI_EXEC) {
481 len = snprintf(cur, left, "x");
482 if (len < 0 || len > left)
489 len = snprintf(cur, left, "n");
490 if (len < 0 || len > left)
497 len = snprintf(cur, left, "?");
498 if (len < 0 || len > left)
512 bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max,
513 size_t buflen, char *errstr){
516 char *spec1, *spec2, *endp;
520 spec1 = strsep(&spec2, ":");
522 pwd = getpwnam(spec1);
526 value = strtoul(spec1, &endp, 10);
528 snprintf(errstr, buflen, "invalid uid: '%s'", spec1);
539 pwd = getpwnam(spec2);
543 value = strtoul(spec2, &endp, 10);
545 snprintf(errstr, buflen, "invalid uid: '%s'", spec2);
558 bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max,
559 size_t buflen, char *errstr){
562 char *spec1, *spec2, *endp;
566 spec1 = strsep(&spec2, ":");
568 grp = getgrnam(spec1);
572 value = strtoul(spec1, &endp, 10);
574 snprintf(errstr, buflen, "invalid gid: '%s'", spec1);
585 grp = getgrnam(spec2);
589 value = strtoul(spec2, &endp, 10);
591 snprintf(errstr, buflen, "invalid gid: '%s'", spec2);
604 bsde_get_jailid(const char *name, size_t buflen, char *errstr)
608 struct iovec jiov[4];
610 /* Copy jail_getid(3) instead of messing with library dependancies */
611 jid = strtoul(name, &ep, 10);
614 jiov[0].iov_base = __DECONST(char *, "name");
615 jiov[0].iov_len = sizeof("name");
616 jiov[1].iov_len = strlen(name) + 1;
617 jiov[1].iov_base = alloca(jiov[1].iov_len);
618 strcpy(jiov[1].iov_base, name);
619 if (errstr && buflen) {
620 jiov[2].iov_base = __DECONST(char *, "errmsg");
621 jiov[2].iov_len = sizeof("errmsg");
622 jiov[3].iov_base = errstr;
623 jiov[3].iov_len = buflen;
625 jid = jail_get(jiov, 4, 0);
626 if (jid < 0 && !errstr[0])
627 snprintf(errstr, buflen, "jail_get: %s",
630 jid = jail_get(jiov, 2, 0);
635 bsde_parse_subject(int argc, char *argv[],
636 struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
639 int current, neg, nextnot;
640 uid_t uid_min, uid_max;
641 gid_t gid_min, gid_max;
649 if (strcmp("not", argv[current]) == 0) {
655 while (current < argc) {
656 if (strcmp(argv[current], "uid") == 0) {
657 if (current + 2 > argc) {
658 snprintf(errstr, buflen, "uid short");
661 if (flags & MBS_UID_DEFINED) {
662 snprintf(errstr, buflen, "one uid only");
665 if (bsde_parse_uidrange(argv[current+1],
666 &uid_min, &uid_max, buflen, errstr) < 0)
668 flags |= MBS_UID_DEFINED;
670 neg ^= MBS_UID_DEFINED;
674 } else if (strcmp(argv[current], "gid") == 0) {
675 if (current + 2 > argc) {
676 snprintf(errstr, buflen, "gid short");
679 if (flags & MBS_GID_DEFINED) {
680 snprintf(errstr, buflen, "one gid only");
683 if (bsde_parse_gidrange(argv[current+1],
684 &gid_min, &gid_max, buflen, errstr) < 0)
686 flags |= MBS_GID_DEFINED;
688 neg ^= MBS_GID_DEFINED;
692 } else if (strcmp(argv[current], "jailid") == 0) {
693 if (current + 2 > argc) {
694 snprintf(errstr, buflen, "prison short");
697 if (flags & MBS_PRISON_DEFINED) {
698 snprintf(errstr, buflen, "one jail only");
701 jid = bsde_get_jailid(argv[current+1], buflen, errstr);
704 flags |= MBS_PRISON_DEFINED;
706 neg ^= MBS_PRISON_DEFINED;
710 } else if (strcmp(argv[current], "!") == 0) {
712 snprintf(errstr, buflen, "double negative");
718 snprintf(errstr, buflen, "'%s' not expected",
724 subject->mbs_flags = flags;
726 subject->mbs_neg = MBS_ALL_FLAGS ^ neg;
728 subject->mbs_neg = neg;
729 if (flags & MBS_UID_DEFINED) {
730 subject->mbs_uid_min = uid_min;
731 subject->mbs_uid_max = uid_max;
733 if (flags & MBS_GID_DEFINED) {
734 subject->mbs_gid_min = gid_min;
735 subject->mbs_gid_max = gid_max;
737 if (flags & MBS_PRISON_DEFINED)
738 subject->mbs_prison = jid;
744 bsde_parse_type(char *spec, int *type, size_t buflen, char *errstr)
749 for (i = 0; i < strlen(spec); i++) {
753 *type |= MBO_TYPE_REG;
756 *type |= MBO_TYPE_DIR;
759 *type |= MBO_TYPE_BLK;
762 *type |= MBO_TYPE_CHR;
765 *type |= MBO_TYPE_LNK;
768 *type |= MBO_TYPE_SOCK;
771 *type |= MBO_TYPE_FIFO;
774 *type |= MBO_ALL_TYPE;
777 snprintf(errstr, buflen, "Unknown type code: %c",
787 bsde_parse_fsid(char *spec, struct fsid *fsid, size_t buflen, char *errstr)
791 if (statfs(spec, &buf) < 0) {
792 snprintf(errstr, buflen, "Unable to get id for %s: %s",
793 spec, strerror(errno));
803 bsde_parse_object(int argc, char *argv[],
804 struct mac_bsdextended_object *object, size_t buflen, char *errstr)
807 int current, neg, nextnot;
808 uid_t uid_min, uid_max;
809 gid_t gid_min, gid_max;
818 if (strcmp("not", argv[current]) == 0) {
824 while (current < argc) {
825 if (strcmp(argv[current], "uid") == 0) {
826 if (current + 2 > argc) {
827 snprintf(errstr, buflen, "uid short");
830 if (flags & MBO_UID_DEFINED) {
831 snprintf(errstr, buflen, "one uid only");
834 if (bsde_parse_uidrange(argv[current+1],
835 &uid_min, &uid_max, buflen, errstr) < 0)
837 flags |= MBO_UID_DEFINED;
839 neg ^= MBO_UID_DEFINED;
843 } else if (strcmp(argv[current], "gid") == 0) {
844 if (current + 2 > argc) {
845 snprintf(errstr, buflen, "gid short");
848 if (flags & MBO_GID_DEFINED) {
849 snprintf(errstr, buflen, "one gid only");
852 if (bsde_parse_gidrange(argv[current+1],
853 &gid_min, &gid_max, buflen, errstr) < 0)
855 flags |= MBO_GID_DEFINED;
857 neg ^= MBO_GID_DEFINED;
861 } else if (strcmp(argv[current], "filesys") == 0) {
862 if (current + 2 > argc) {
863 snprintf(errstr, buflen, "filesys short");
866 if (flags & MBO_FSID_DEFINED) {
867 snprintf(errstr, buflen, "one fsid only");
870 if (bsde_parse_fsid(argv[current+1], &fsid,
873 flags |= MBO_FSID_DEFINED;
875 neg ^= MBO_FSID_DEFINED;
879 } else if (strcmp(argv[current], "suid") == 0) {
886 } else if (strcmp(argv[current], "sgid") == 0) {
893 } else if (strcmp(argv[current], "uid_of_subject") == 0) {
894 flags |= MBO_UID_SUBJECT;
896 neg ^= MBO_UID_SUBJECT;
900 } else if (strcmp(argv[current], "gid_of_subject") == 0) {
901 flags |= MBO_GID_SUBJECT;
903 neg ^= MBO_GID_SUBJECT;
907 } else if (strcmp(argv[current], "type") == 0) {
908 if (current + 2 > argc) {
909 snprintf(errstr, buflen, "type short");
912 if (flags & MBO_TYPE_DEFINED) {
913 snprintf(errstr, buflen, "one type only");
916 if (bsde_parse_type(argv[current+1], &type,
919 flags |= MBO_TYPE_DEFINED;
921 neg ^= MBO_TYPE_DEFINED;
925 } else if (strcmp(argv[current], "!") == 0) {
927 snprintf(errstr, buflen,
934 snprintf(errstr, buflen, "'%s' not expected",
940 object->mbo_flags = flags;
942 object->mbo_neg = MBO_ALL_FLAGS ^ neg;
944 object->mbo_neg = neg;
945 if (flags & MBO_UID_DEFINED) {
946 object->mbo_uid_min = uid_min;
947 object->mbo_uid_max = uid_max;
949 if (flags & MBO_GID_DEFINED) {
950 object->mbo_gid_min = gid_min;
951 object->mbo_gid_max = gid_max;
953 if (flags & MBO_FSID_DEFINED)
954 object->mbo_fsid = fsid;
955 if (flags & MBO_TYPE_DEFINED)
956 object->mbo_type = type;
962 bsde_parse_mode(int argc, char *argv[], mode_t *mode, size_t buflen,
968 snprintf(errstr, buflen, "mode expects mode value");
973 snprintf(errstr, buflen, "'%s' unexpected", argv[1]);
978 for (i = 0; i < strlen(argv[0]); i++) {
979 switch (argv[0][i]) {
999 snprintf(errstr, buflen, "Unknown mode letter: %c",
1009 bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule,
1010 size_t buflen, char *errstr)
1012 int subject, subject_elements, subject_elements_length;
1013 int object, object_elements, object_elements_length;
1014 int mode, mode_elements, mode_elements_length;
1017 bzero(rule, sizeof(*rule));
1020 snprintf(errstr, buflen, "Rule must begin with subject");
1024 if (strcmp(argv[0], "subject") != 0) {
1025 snprintf(errstr, buflen, "Rule must begin with subject");
1029 subject_elements = 1;
1031 /* Search forward for object. */
1034 for (i = 1; i < argc; i++)
1035 if (strcmp(argv[i], "object") == 0)
1039 snprintf(errstr, buflen, "Rule must contain an object");
1043 /* Search forward for mode. */
1045 for (i = object; i < argc; i++)
1046 if (strcmp(argv[i], "mode") == 0)
1050 snprintf(errstr, buflen, "Rule must contain mode");
1054 subject_elements_length = object - subject - 1;
1055 object_elements = object + 1;
1056 object_elements_length = mode - object_elements;
1057 mode_elements = mode + 1;
1058 mode_elements_length = argc - mode_elements;
1060 error = bsde_parse_subject(subject_elements_length,
1061 argv + subject_elements, &rule->mbr_subject, buflen, errstr);
1065 error = bsde_parse_object(object_elements_length,
1066 argv + object_elements, &rule->mbr_object, buflen, errstr);
1070 error = bsde_parse_mode(mode_elements_length, argv + mode_elements,
1071 &rule->mbr_mode, buflen, errstr);
1079 bsde_parse_rule_string(const char *string, struct mac_bsdextended_rule *rule,
1080 size_t buflen, char *errstr)
1082 char *stringdup, *stringp, *argv[100], **ap;
1085 stringp = stringdup = strdup(string);
1086 while (*stringp == ' ' || *stringp == '\t')
1090 for (ap = argv; (*ap = strsep(&stringp, " \t")) != NULL;) {
1093 if (++ap >= &argv[100])
1097 error = bsde_parse_rule(argc, argv, rule, buflen, errstr);
1105 bsde_get_mib(const char *string, int *name, size_t *namelen)
1111 error = sysctlnametomib(string, name, &len);
1120 bsde_check_version(size_t buflen, char *errstr)
1126 len = sizeof(version);
1127 error = sysctlbyname(MIB ".rule_version", &version, &len, NULL, 0);
1129 snprintf(errstr, buflen, "version check failed: %s",
1133 if (version != MB_VERSION) {
1134 snprintf(errstr, buflen, "module v%d != library v%d",
1135 version, MB_VERSION);
1142 bsde_get_rule_count(size_t buflen, char *errstr)
1148 len = sizeof(rule_count);
1149 error = sysctlbyname(MIB ".rule_count", &rule_count, &len, NULL, 0);
1151 snprintf(errstr, buflen, "%s", strerror(errno));
1154 if (len != sizeof(rule_count)) {
1155 snprintf(errstr, buflen, "Data error in %s.rule_count",
1160 return (rule_count);
1164 bsde_get_rule_slots(size_t buflen, char *errstr)
1170 len = sizeof(rule_slots);
1171 error = sysctlbyname(MIB ".rule_slots", &rule_slots, &len, NULL, 0);
1173 snprintf(errstr, buflen, "%s", strerror(errno));
1176 if (len != sizeof(rule_slots)) {
1177 snprintf(errstr, buflen, "Data error in %s.rule_slots", MIB);
1181 return (rule_slots);
1185 * Returns 0 for success;
1186 * Returns -1 for failure;
1187 * Returns -2 for not present
1190 bsde_get_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t errlen,
1197 if (bsde_check_version(errlen, errstr) != 0)
1201 error = bsde_get_mib(MIB ".rules", name, &len);
1203 snprintf(errstr, errlen, "%s: %s", MIB ".rules",
1208 size = sizeof(*rule);
1209 name[len] = rulenum;
1211 error = sysctl(name, len, rule, &size, NULL, 0);
1212 if (error == -1 && errno == ENOENT)
1215 snprintf(errstr, errlen, "%s.%d: %s", MIB ".rules",
1216 rulenum, strerror(errno));
1218 } else if (size != sizeof(*rule)) {
1219 snprintf(errstr, errlen, "Data error in %s.%d: %s",
1220 MIB ".rules", rulenum, strerror(errno));
1228 bsde_delete_rule(int rulenum, size_t buflen, char *errstr)
1230 struct mac_bsdextended_rule rule;
1235 if (bsde_check_version(buflen, errstr) != 0)
1239 error = bsde_get_mib(MIB ".rules", name, &len);
1241 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1246 name[len] = rulenum;
1249 size = sizeof(rule);
1250 error = sysctl(name, len, NULL, NULL, &rule, 0);
1252 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1253 rulenum, strerror(errno));
1261 bsde_set_rule(int rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1268 if (bsde_check_version(buflen, errstr) != 0)
1272 error = bsde_get_mib(MIB ".rules", name, &len);
1274 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1279 name[len] = rulenum;
1282 size = sizeof(*rule);
1283 error = sysctl(name, len, NULL, NULL, rule, size);
1285 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1286 rulenum, strerror(errno));
1294 bsde_add_rule(int *rulenum, struct mac_bsdextended_rule *rule, size_t buflen,
1297 char charstr[BUFSIZ];
1300 int error, rule_slots;
1302 if (bsde_check_version(buflen, errstr) != 0)
1306 error = bsde_get_mib(MIB ".rules", name, &len);
1308 snprintf(errstr, buflen, "%s: %s", MIB ".rules",
1313 rule_slots = bsde_get_rule_slots(BUFSIZ, charstr);
1314 if (rule_slots == -1) {
1315 snprintf(errstr, buflen, "unable to get rule slots: %s",
1320 name[len] = rule_slots;
1323 size = sizeof(*rule);
1324 error = sysctl(name, len, NULL, NULL, rule, size);
1326 snprintf(errstr, buflen, "%s.%d: %s", MIB ".rules",
1327 rule_slots, strerror(errno));
1331 if (rulenum != NULL)
1332 *rulenum = rule_slots;
projects / FreeBSD / stable / 10.git / blob