40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 48#include "opt_mac.h" 49 50#include <sys/param.h> 51#include <sys/extattr.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/mac.h> 57#include <sys/module.h> 58#include <sys/proc.h> 59#include <sys/systm.h> 60#include <sys/sysproto.h> 61#include <sys/sysent.h> 62#include <sys/vnode.h> 63#include <sys/mount.h> 64#include <sys/file.h> 65#include <sys/namei.h> 66#include <sys/socket.h> 67#include <sys/pipe.h> 68#include <sys/socketvar.h> 69#include <sys/sysctl.h> 70 71#include <vm/vm.h> 72#include <vm/pmap.h> 73#include <vm/vm_map.h> 74#include <vm/vm_object.h> 75 76#include <sys/mac_policy.h> 77 78#include <fs/devfs/devfs.h> 79 80#include <net/bpfdesc.h> 81#include <net/if.h> 82#include <net/if_var.h> 83 84#include <netinet/in.h> 85#include <netinet/ip_var.h> 86 87#ifdef MAC 88 89/* 90 * Declare that the kernel provides MAC support, version 1. This permits 91 * modules to refuse to be loaded if the necessary support isn't present, 92 * even if it's pre-boot. 93 */ 94MODULE_VERSION(kernel_mac_support, 1); 95 96SYSCTL_DECL(_security); 97 98SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 99 "TrustedBSD MAC policy controls"); 100SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, 101 "TrustedBSD MAC debug info"); 102 103static int mac_debug_label_fallback = 0; 104SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, 105 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" 106 "when label is corrupted."); 107TUNABLE_INT("security.mac.debug_label_fallback", 108 &mac_debug_label_fallback); 109 110#ifndef MAC_MAX_POLICIES 111#define MAC_MAX_POLICIES 8 112#endif 113#if MAC_MAX_POLICIES > 32 114#error "MAC_MAX_POLICIES too large" 115#endif 116static unsigned int mac_max_policies = MAC_MAX_POLICIES; 117static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; 118SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, 119 &mac_max_policies, 0, ""); 120 121static int mac_late = 0; 122 123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 128static int mac_enforce_network = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 130 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 131TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 132 133static int mac_enforce_pipe = 1; 134SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, 135 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); 136 137static int mac_enforce_process = 1; 138SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, 139 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); 140TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); 141 142static int mac_enforce_socket = 1; 143SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 144 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 145TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 146 147static int mac_enforce_vm = 1; 148SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, 149 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); 150 151static int mac_label_size = sizeof(struct mac); 152SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, 153 &mac_label_size, 0, "Pre-compiled MAC label size"); 154 155static int mac_cache_fslabel_in_vnode = 1; 156SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, 157 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); 158TUNABLE_INT("security.mac.cache_fslabel_in_vnode", 159 &mac_cache_fslabel_in_vnode); 160 161static int mac_vnode_label_cache_hits = 0; 162SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, 163 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); 164static int mac_vnode_label_cache_misses = 0; 165SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, 166 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); 167 168static int mac_mmap_revocation = 1; 169SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 170 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 171 "relabel"); 172static int mac_mmap_revocation_via_cow = 0; 173SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 174 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 175 "copy-on-write semantics, or by removing all write access"); 176 177#ifdef MAC_DEBUG 178static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 179 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 180 nmacipqs, nmacpipes; 181SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, 182 &nmacmbufs, 0, "number of mbufs in use"); 183SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, 184 &nmaccreds, 0, "number of ucreds in use"); 185SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, 186 &nmacifnets, 0, "number of ifnets in use"); 187SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, 188 &nmacipqs, 0, "number of ipqs in use"); 189SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, 190 &nmacbpfdescs, 0, "number of bpfdescs in use"); 191SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, 192 &nmacsockets, 0, "number of sockets in use"); 193SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, 194 &nmacpipes, 0, "number of pipes in use"); 195SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, 196 &nmacmounts, 0, "number of mounts in use"); 197SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, 198 &nmactemp, 0, "number of temporary labels in use"); 199SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, 200 &nmacvnodes, 0, "number of vnodes in use"); 201SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, 202 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 203#endif 204 205static int error_select(int error1, int error2); 206static int mac_externalize(struct label *label, struct mac *mac); 207static int mac_policy_register(struct mac_policy_conf *mpc); 208static int mac_policy_unregister(struct mac_policy_conf *mpc); 209 210static int mac_stdcreatevnode_ea(struct vnode *vp); 211static void mac_cred_mmapped_drop_perms(struct thread *td, 212 struct ucred *cred); 213static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 214 struct ucred *cred, struct vm_map *map); 215 216MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 217MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 218 219/* 220 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 221 * the linked list of attached policy modules. Read-only consumers of 222 * the list must acquire a shared lock for the duration of their use; 223 * writers must acquire an exclusive lock. Note that for compound 224 * operations, locks should be held for the entire compound operation, 225 * and that this is not yet done for relabel requests. 226 */ 227static struct mtx mac_policy_list_lock; 228static LIST_HEAD(, mac_policy_conf) mac_policy_list; 229static int mac_policy_list_busy; 230#define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ 231 "mac_policy_list_lock", NULL, MTX_DEF); 232#define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); 233#define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); 234 235#define MAC_POLICY_LIST_BUSY() do { \ 236 MAC_POLICY_LIST_LOCK(); \ 237 mac_policy_list_busy++; \ 238 MAC_POLICY_LIST_UNLOCK(); \ 239} while (0) 240 241#define MAC_POLICY_LIST_UNBUSY() do { \ 242 MAC_POLICY_LIST_LOCK(); \ 243 mac_policy_list_busy--; \ 244 if (mac_policy_list_busy < 0) \ 245 panic("Extra mac_policy_list_busy--"); \ 246 MAC_POLICY_LIST_UNLOCK(); \ 247} while (0) 248 249/* 250 * MAC_CHECK performs the designated check by walking the policy 251 * module list and checking with each as to how it feels about the 252 * request. Note that it returns its value via 'error' in the scope 253 * of the caller. 254 */ 255#define MAC_CHECK(check, args...) do { \ 256 struct mac_policy_conf *mpc; \ 257 \ 258 error = 0; \ 259 MAC_POLICY_LIST_BUSY(); \ 260 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 261 if (mpc->mpc_ops->mpo_ ## check != NULL) \ 262 error = error_select( \ 263 mpc->mpc_ops->mpo_ ## check (args), \ 264 error); \ 265 } \ 266 MAC_POLICY_LIST_UNBUSY(); \ 267} while (0) 268 269/* 270 * MAC_BOOLEAN performs the designated boolean composition by walking 271 * the module list, invoking each instance of the operation, and 272 * combining the results using the passed C operator. Note that it 273 * returns its value via 'result' in the scope of the caller, which 274 * should be initialized by the caller in a meaningful way to get 275 * a meaningful result. 276 */ 277#define MAC_BOOLEAN(operation, composition, args...) do { \ 278 struct mac_policy_conf *mpc; \ 279 \ 280 MAC_POLICY_LIST_BUSY(); \ 281 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 282 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 283 result = result composition \ 284 mpc->mpc_ops->mpo_ ## operation (args); \ 285 } \ 286 MAC_POLICY_LIST_UNBUSY(); \ 287} while (0) 288 289/* 290 * MAC_PERFORM performs the designated operation by walking the policy 291 * module list and invoking that operation for each policy. 292 */ 293#define MAC_PERFORM(operation, args...) do { \ 294 struct mac_policy_conf *mpc; \ 295 \ 296 MAC_POLICY_LIST_BUSY(); \ 297 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 298 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 299 mpc->mpc_ops->mpo_ ## operation (args); \ 300 } \ 301 MAC_POLICY_LIST_UNBUSY(); \ 302} while (0) 303 304/* 305 * Initialize the MAC subsystem, including appropriate SMP locks. 306 */ 307static void 308mac_init(void) 309{ 310 311 LIST_INIT(&mac_policy_list); 312 MAC_POLICY_LIST_LOCKINIT(); 313} 314 315/* 316 * For the purposes of modules that want to know if they were loaded 317 * "early", set the mac_late flag once we've processed modules either 318 * linked into the kernel, or loaded before the kernel startup. 319 */ 320static void 321mac_late_init(void) 322{ 323 324 mac_late = 1; 325} 326 327/* 328 * Allow MAC policy modules to register during boot, etc. 329 */ 330int 331mac_policy_modevent(module_t mod, int type, void *data) 332{ 333 struct mac_policy_conf *mpc; 334 int error; 335 336 error = 0; 337 mpc = (struct mac_policy_conf *) data; 338 339 switch (type) { 340 case MOD_LOAD: 341 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && 342 mac_late) { 343 printf("mac_policy_modevent: can't load %s policy " 344 "after booting\n", mpc->mpc_name); 345 error = EBUSY; 346 break; 347 } 348 error = mac_policy_register(mpc); 349 break; 350 case MOD_UNLOAD: 351 /* Don't unregister the module if it was never registered. */ 352 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) 353 != 0) 354 error = mac_policy_unregister(mpc); 355 else 356 error = 0; 357 break; 358 default: 359 break; 360 } 361 362 return (error); 363} 364 365static int 366mac_policy_register(struct mac_policy_conf *mpc) 367{ 368 struct mac_policy_conf *tmpc;
|
374 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { 375 switch (mpe->mpe_constant) { 376 case MAC_OP_LAST: 377 /* 378 * Doesn't actually happen, but this allows checking 379 * that all enumerated values are handled. 380 */ 381 break; 382 case MAC_DESTROY: 383 mpc->mpc_ops->mpo_destroy = 384 mpe->mpe_function; 385 break; 386 case MAC_INIT: 387 mpc->mpc_ops->mpo_init = 388 mpe->mpe_function; 389 break; 390 case MAC_SYSCALL: 391 mpc->mpc_ops->mpo_syscall = 392 mpe->mpe_function; 393 break; 394 case MAC_INIT_BPFDESC: 395 mpc->mpc_ops->mpo_init_bpfdesc = 396 mpe->mpe_function; 397 break; 398 case MAC_INIT_CRED: 399 mpc->mpc_ops->mpo_init_cred = 400 mpe->mpe_function; 401 break; 402 case MAC_INIT_DEVFSDIRENT: 403 mpc->mpc_ops->mpo_init_devfsdirent = 404 mpe->mpe_function; 405 break; 406 case MAC_INIT_IFNET: 407 mpc->mpc_ops->mpo_init_ifnet = 408 mpe->mpe_function; 409 break; 410 case MAC_INIT_IPQ: 411 mpc->mpc_ops->mpo_init_ipq = 412 mpe->mpe_function; 413 break; 414 case MAC_INIT_MBUF: 415 mpc->mpc_ops->mpo_init_mbuf = 416 mpe->mpe_function; 417 break; 418 case MAC_INIT_MOUNT: 419 mpc->mpc_ops->mpo_init_mount = 420 mpe->mpe_function; 421 break; 422 case MAC_INIT_PIPE: 423 mpc->mpc_ops->mpo_init_pipe = 424 mpe->mpe_function; 425 break; 426 case MAC_INIT_SOCKET: 427 mpc->mpc_ops->mpo_init_socket = 428 mpe->mpe_function; 429 break; 430 case MAC_INIT_TEMP: 431 mpc->mpc_ops->mpo_init_temp = 432 mpe->mpe_function; 433 break; 434 case MAC_INIT_VNODE: 435 mpc->mpc_ops->mpo_init_vnode = 436 mpe->mpe_function; 437 break; 438 case MAC_DESTROY_BPFDESC: 439 mpc->mpc_ops->mpo_destroy_bpfdesc = 440 mpe->mpe_function; 441 break; 442 case MAC_DESTROY_CRED: 443 mpc->mpc_ops->mpo_destroy_cred = 444 mpe->mpe_function; 445 break; 446 case MAC_DESTROY_DEVFSDIRENT: 447 mpc->mpc_ops->mpo_destroy_devfsdirent = 448 mpe->mpe_function; 449 break; 450 case MAC_DESTROY_IFNET: 451 mpc->mpc_ops->mpo_destroy_ifnet = 452 mpe->mpe_function; 453 break; 454 case MAC_DESTROY_IPQ: 455 mpc->mpc_ops->mpo_destroy_ipq = 456 mpe->mpe_function; 457 break; 458 case MAC_DESTROY_MBUF: 459 mpc->mpc_ops->mpo_destroy_mbuf = 460 mpe->mpe_function; 461 break; 462 case MAC_DESTROY_MOUNT: 463 mpc->mpc_ops->mpo_destroy_mount = 464 mpe->mpe_function; 465 break; 466 case MAC_DESTROY_PIPE: 467 mpc->mpc_ops->mpo_destroy_pipe = 468 mpe->mpe_function; 469 break; 470 case MAC_DESTROY_SOCKET: 471 mpc->mpc_ops->mpo_destroy_socket = 472 mpe->mpe_function; 473 break; 474 case MAC_DESTROY_TEMP: 475 mpc->mpc_ops->mpo_destroy_temp = 476 mpe->mpe_function; 477 break; 478 case MAC_DESTROY_VNODE: 479 mpc->mpc_ops->mpo_destroy_vnode = 480 mpe->mpe_function; 481 break; 482 case MAC_EXTERNALIZE: 483 mpc->mpc_ops->mpo_externalize = 484 mpe->mpe_function; 485 break; 486 case MAC_INTERNALIZE: 487 mpc->mpc_ops->mpo_internalize = 488 mpe->mpe_function; 489 break; 490 case MAC_CREATE_DEVFS_DEVICE: 491 mpc->mpc_ops->mpo_create_devfs_device = 492 mpe->mpe_function; 493 break; 494 case MAC_CREATE_DEVFS_DIRECTORY: 495 mpc->mpc_ops->mpo_create_devfs_directory = 496 mpe->mpe_function; 497 break; 498 case MAC_CREATE_DEVFS_VNODE: 499 mpc->mpc_ops->mpo_create_devfs_vnode = 500 mpe->mpe_function; 501 break; 502 case MAC_STDCREATEVNODE_EA: 503 mpc->mpc_ops->mpo_stdcreatevnode_ea = 504 mpe->mpe_function; 505 break; 506 case MAC_CREATE_VNODE: 507 mpc->mpc_ops->mpo_create_vnode = 508 mpe->mpe_function; 509 break; 510 case MAC_CREATE_MOUNT: 511 mpc->mpc_ops->mpo_create_mount = 512 mpe->mpe_function; 513 break; 514 case MAC_CREATE_ROOT_MOUNT: 515 mpc->mpc_ops->mpo_create_root_mount = 516 mpe->mpe_function; 517 break; 518 case MAC_RELABEL_VNODE: 519 mpc->mpc_ops->mpo_relabel_vnode = 520 mpe->mpe_function; 521 break; 522 case MAC_UPDATE_DEVFSDIRENT: 523 mpc->mpc_ops->mpo_update_devfsdirent = 524 mpe->mpe_function; 525 break; 526 case MAC_UPDATE_PROCFSVNODE: 527 mpc->mpc_ops->mpo_update_procfsvnode = 528 mpe->mpe_function; 529 break; 530 case MAC_UPDATE_VNODE_FROM_EXTATTR: 531 mpc->mpc_ops->mpo_update_vnode_from_extattr = 532 mpe->mpe_function; 533 break; 534 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: 535 mpc->mpc_ops->mpo_update_vnode_from_externalized = 536 mpe->mpe_function; 537 break; 538 case MAC_UPDATE_VNODE_FROM_MOUNT: 539 mpc->mpc_ops->mpo_update_vnode_from_mount = 540 mpe->mpe_function; 541 break; 542 case MAC_CREATE_MBUF_FROM_SOCKET: 543 mpc->mpc_ops->mpo_create_mbuf_from_socket = 544 mpe->mpe_function; 545 break; 546 case MAC_CREATE_PIPE: 547 mpc->mpc_ops->mpo_create_pipe = 548 mpe->mpe_function; 549 break; 550 case MAC_CREATE_SOCKET: 551 mpc->mpc_ops->mpo_create_socket = 552 mpe->mpe_function; 553 break; 554 case MAC_CREATE_SOCKET_FROM_SOCKET: 555 mpc->mpc_ops->mpo_create_socket_from_socket = 556 mpe->mpe_function; 557 break; 558 case MAC_RELABEL_PIPE: 559 mpc->mpc_ops->mpo_relabel_pipe = 560 mpe->mpe_function; 561 break; 562 case MAC_RELABEL_SOCKET: 563 mpc->mpc_ops->mpo_relabel_socket = 564 mpe->mpe_function; 565 break; 566 case MAC_SET_SOCKET_PEER_FROM_MBUF: 567 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = 568 mpe->mpe_function; 569 break; 570 case MAC_SET_SOCKET_PEER_FROM_SOCKET: 571 mpc->mpc_ops->mpo_set_socket_peer_from_socket = 572 mpe->mpe_function; 573 break; 574 case MAC_CREATE_BPFDESC: 575 mpc->mpc_ops->mpo_create_bpfdesc = 576 mpe->mpe_function; 577 break; 578 case MAC_CREATE_DATAGRAM_FROM_IPQ: 579 mpc->mpc_ops->mpo_create_datagram_from_ipq = 580 mpe->mpe_function; 581 break; 582 case MAC_CREATE_FRAGMENT: 583 mpc->mpc_ops->mpo_create_fragment = 584 mpe->mpe_function; 585 break; 586 case MAC_CREATE_IFNET: 587 mpc->mpc_ops->mpo_create_ifnet = 588 mpe->mpe_function; 589 break; 590 case MAC_CREATE_IPQ: 591 mpc->mpc_ops->mpo_create_ipq = 592 mpe->mpe_function; 593 break; 594 case MAC_CREATE_MBUF_FROM_MBUF: 595 mpc->mpc_ops->mpo_create_mbuf_from_mbuf = 596 mpe->mpe_function; 597 break; 598 case MAC_CREATE_MBUF_LINKLAYER: 599 mpc->mpc_ops->mpo_create_mbuf_linklayer = 600 mpe->mpe_function; 601 break; 602 case MAC_CREATE_MBUF_FROM_BPFDESC: 603 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = 604 mpe->mpe_function; 605 break; 606 case MAC_CREATE_MBUF_FROM_IFNET: 607 mpc->mpc_ops->mpo_create_mbuf_from_ifnet = 608 mpe->mpe_function; 609 break; 610 case MAC_CREATE_MBUF_MULTICAST_ENCAP: 611 mpc->mpc_ops->mpo_create_mbuf_multicast_encap = 612 mpe->mpe_function; 613 break; 614 case MAC_CREATE_MBUF_NETLAYER: 615 mpc->mpc_ops->mpo_create_mbuf_netlayer = 616 mpe->mpe_function; 617 break; 618 case MAC_FRAGMENT_MATCH: 619 mpc->mpc_ops->mpo_fragment_match = 620 mpe->mpe_function; 621 break; 622 case MAC_RELABEL_IFNET: 623 mpc->mpc_ops->mpo_relabel_ifnet = 624 mpe->mpe_function; 625 break; 626 case MAC_UPDATE_IPQ: 627 mpc->mpc_ops->mpo_update_ipq = 628 mpe->mpe_function; 629 break; 630 case MAC_CREATE_CRED: 631 mpc->mpc_ops->mpo_create_cred = 632 mpe->mpe_function; 633 break; 634 case MAC_EXECVE_TRANSITION: 635 mpc->mpc_ops->mpo_execve_transition = 636 mpe->mpe_function; 637 break; 638 case MAC_EXECVE_WILL_TRANSITION: 639 mpc->mpc_ops->mpo_execve_will_transition = 640 mpe->mpe_function; 641 break; 642 case MAC_CREATE_PROC0: 643 mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; 644 break; 645 case MAC_CREATE_PROC1: 646 mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; 647 break; 648 case MAC_RELABEL_CRED: 649 mpc->mpc_ops->mpo_relabel_cred = 650 mpe->mpe_function; 651 break; 652 case MAC_CHECK_BPFDESC_RECEIVE: 653 mpc->mpc_ops->mpo_check_bpfdesc_receive = 654 mpe->mpe_function; 655 break; 656 case MAC_CHECK_CRED_RELABEL: 657 mpc->mpc_ops->mpo_check_cred_relabel = 658 mpe->mpe_function; 659 break; 660 case MAC_CHECK_CRED_VISIBLE: 661 mpc->mpc_ops->mpo_check_cred_visible = 662 mpe->mpe_function; 663 break; 664 case MAC_CHECK_IFNET_RELABEL: 665 mpc->mpc_ops->mpo_check_ifnet_relabel = 666 mpe->mpe_function; 667 break; 668 case MAC_CHECK_IFNET_TRANSMIT: 669 mpc->mpc_ops->mpo_check_ifnet_transmit = 670 mpe->mpe_function; 671 break; 672 case MAC_CHECK_MOUNT_STAT: 673 mpc->mpc_ops->mpo_check_mount_stat = 674 mpe->mpe_function; 675 break; 676 case MAC_CHECK_PIPE_IOCTL: 677 mpc->mpc_ops->mpo_check_pipe_ioctl = 678 mpe->mpe_function; 679 break; 680 case MAC_CHECK_PIPE_POLL: 681 mpc->mpc_ops->mpo_check_pipe_poll = 682 mpe->mpe_function; 683 break; 684 case MAC_CHECK_PIPE_READ: 685 mpc->mpc_ops->mpo_check_pipe_read = 686 mpe->mpe_function; 687 break; 688 case MAC_CHECK_PIPE_RELABEL: 689 mpc->mpc_ops->mpo_check_pipe_relabel = 690 mpe->mpe_function; 691 break; 692 case MAC_CHECK_PIPE_STAT: 693 mpc->mpc_ops->mpo_check_pipe_stat = 694 mpe->mpe_function; 695 break; 696 case MAC_CHECK_PIPE_WRITE: 697 mpc->mpc_ops->mpo_check_pipe_write = 698 mpe->mpe_function; 699 break; 700 case MAC_CHECK_PROC_DEBUG: 701 mpc->mpc_ops->mpo_check_proc_debug = 702 mpe->mpe_function; 703 break; 704 case MAC_CHECK_PROC_SCHED: 705 mpc->mpc_ops->mpo_check_proc_sched = 706 mpe->mpe_function; 707 break; 708 case MAC_CHECK_PROC_SIGNAL: 709 mpc->mpc_ops->mpo_check_proc_signal = 710 mpe->mpe_function; 711 break; 712 case MAC_CHECK_SOCKET_BIND: 713 mpc->mpc_ops->mpo_check_socket_bind = 714 mpe->mpe_function; 715 break; 716 case MAC_CHECK_SOCKET_CONNECT: 717 mpc->mpc_ops->mpo_check_socket_connect = 718 mpe->mpe_function; 719 break; 720 case MAC_CHECK_SOCKET_DELIVER: 721 mpc->mpc_ops->mpo_check_socket_deliver = 722 mpe->mpe_function; 723 break; 724 case MAC_CHECK_SOCKET_LISTEN: 725 mpc->mpc_ops->mpo_check_socket_listen = 726 mpe->mpe_function; 727 break; 728 case MAC_CHECK_SOCKET_RELABEL: 729 mpc->mpc_ops->mpo_check_socket_relabel = 730 mpe->mpe_function; 731 break; 732 case MAC_CHECK_SOCKET_VISIBLE: 733 mpc->mpc_ops->mpo_check_socket_visible = 734 mpe->mpe_function; 735 break; 736 case MAC_CHECK_VNODE_ACCESS: 737 mpc->mpc_ops->mpo_check_vnode_access = 738 mpe->mpe_function; 739 break; 740 case MAC_CHECK_VNODE_CHDIR: 741 mpc->mpc_ops->mpo_check_vnode_chdir = 742 mpe->mpe_function; 743 break; 744 case MAC_CHECK_VNODE_CHROOT: 745 mpc->mpc_ops->mpo_check_vnode_chroot = 746 mpe->mpe_function; 747 break; 748 case MAC_CHECK_VNODE_CREATE: 749 mpc->mpc_ops->mpo_check_vnode_create = 750 mpe->mpe_function; 751 break; 752 case MAC_CHECK_VNODE_DELETE: 753 mpc->mpc_ops->mpo_check_vnode_delete = 754 mpe->mpe_function; 755 break; 756 case MAC_CHECK_VNODE_DELETEACL: 757 mpc->mpc_ops->mpo_check_vnode_deleteacl = 758 mpe->mpe_function; 759 break; 760 case MAC_CHECK_VNODE_EXEC: 761 mpc->mpc_ops->mpo_check_vnode_exec = 762 mpe->mpe_function; 763 break; 764 case MAC_CHECK_VNODE_GETACL: 765 mpc->mpc_ops->mpo_check_vnode_getacl = 766 mpe->mpe_function; 767 break; 768 case MAC_CHECK_VNODE_GETEXTATTR: 769 mpc->mpc_ops->mpo_check_vnode_getextattr = 770 mpe->mpe_function; 771 break; 772 case MAC_CHECK_VNODE_LOOKUP: 773 mpc->mpc_ops->mpo_check_vnode_lookup = 774 mpe->mpe_function; 775 break; 776 case MAC_CHECK_VNODE_MMAP_PERMS: 777 mpc->mpc_ops->mpo_check_vnode_mmap_perms = 778 mpe->mpe_function; 779 break; 780 case MAC_CHECK_VNODE_OPEN: 781 mpc->mpc_ops->mpo_check_vnode_open = 782 mpe->mpe_function; 783 break; 784 case MAC_CHECK_VNODE_POLL: 785 mpc->mpc_ops->mpo_check_vnode_poll = 786 mpe->mpe_function; 787 break; 788 case MAC_CHECK_VNODE_READ: 789 mpc->mpc_ops->mpo_check_vnode_read = 790 mpe->mpe_function; 791 break; 792 case MAC_CHECK_VNODE_READDIR: 793 mpc->mpc_ops->mpo_check_vnode_readdir = 794 mpe->mpe_function; 795 break; 796 case MAC_CHECK_VNODE_READLINK: 797 mpc->mpc_ops->mpo_check_vnode_readlink = 798 mpe->mpe_function; 799 break; 800 case MAC_CHECK_VNODE_RELABEL: 801 mpc->mpc_ops->mpo_check_vnode_relabel = 802 mpe->mpe_function; 803 break; 804 case MAC_CHECK_VNODE_RENAME_FROM: 805 mpc->mpc_ops->mpo_check_vnode_rename_from = 806 mpe->mpe_function; 807 break; 808 case MAC_CHECK_VNODE_RENAME_TO: 809 mpc->mpc_ops->mpo_check_vnode_rename_to = 810 mpe->mpe_function; 811 break; 812 case MAC_CHECK_VNODE_REVOKE: 813 mpc->mpc_ops->mpo_check_vnode_revoke = 814 mpe->mpe_function; 815 break; 816 case MAC_CHECK_VNODE_SETACL: 817 mpc->mpc_ops->mpo_check_vnode_setacl = 818 mpe->mpe_function; 819 break; 820 case MAC_CHECK_VNODE_SETEXTATTR: 821 mpc->mpc_ops->mpo_check_vnode_setextattr = 822 mpe->mpe_function; 823 break; 824 case MAC_CHECK_VNODE_SETFLAGS: 825 mpc->mpc_ops->mpo_check_vnode_setflags = 826 mpe->mpe_function; 827 break; 828 case MAC_CHECK_VNODE_SETMODE: 829 mpc->mpc_ops->mpo_check_vnode_setmode = 830 mpe->mpe_function; 831 break; 832 case MAC_CHECK_VNODE_SETOWNER: 833 mpc->mpc_ops->mpo_check_vnode_setowner = 834 mpe->mpe_function; 835 break; 836 case MAC_CHECK_VNODE_SETUTIMES: 837 mpc->mpc_ops->mpo_check_vnode_setutimes = 838 mpe->mpe_function; 839 break; 840 case MAC_CHECK_VNODE_STAT: 841 mpc->mpc_ops->mpo_check_vnode_stat = 842 mpe->mpe_function; 843 break; 844 case MAC_CHECK_VNODE_WRITE: 845 mpc->mpc_ops->mpo_check_vnode_write = 846 mpe->mpe_function; 847 break; 848/* 849 default: 850 printf("MAC policy `%s': unknown operation %d\n", 851 mpc->mpc_name, mpe->mpe_constant); 852 return (EINVAL); 853*/ 854 } 855 } 856 MAC_POLICY_LIST_LOCK(); 857 if (mac_policy_list_busy > 0) { 858 MAC_POLICY_LIST_UNLOCK(); 859 FREE(mpc->mpc_ops, M_MACOPVEC); 860 mpc->mpc_ops = NULL; 861 return (EBUSY); 862 } 863 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { 864 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { 865 MAC_POLICY_LIST_UNLOCK(); 866 FREE(mpc->mpc_ops, M_MACOPVEC); 867 mpc->mpc_ops = NULL; 868 return (EEXIST); 869 } 870 } 871 if (mpc->mpc_field_off != NULL) { 872 slot = ffs(mac_policy_offsets_free); 873 if (slot == 0) { 874 MAC_POLICY_LIST_UNLOCK(); 875 FREE(mpc->mpc_ops, M_MACOPVEC); 876 mpc->mpc_ops = NULL; 877 return (ENOMEM); 878 } 879 slot--; 880 mac_policy_offsets_free &= ~(1 << slot); 881 *mpc->mpc_field_off = slot; 882 } 883 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 884 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 885 886 /* Per-policy initialization. */ 887 if (mpc->mpc_ops->mpo_init != NULL) 888 (*(mpc->mpc_ops->mpo_init))(mpc); 889 MAC_POLICY_LIST_UNLOCK(); 890 891 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 892 mpc->mpc_name); 893 894 return (0); 895} 896 897static int 898mac_policy_unregister(struct mac_policy_conf *mpc) 899{ 900 901#if 0 902 /* 903 * Don't allow unloading modules with private data. 904 */ 905 if (mpc->mpc_field_off != NULL) 906 return (EBUSY); 907#endif 908 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) 909 return (EBUSY); 910 MAC_POLICY_LIST_LOCK(); 911 if (mac_policy_list_busy > 0) { 912 MAC_POLICY_LIST_UNLOCK(); 913 return (EBUSY); 914 } 915 if (mpc->mpc_ops->mpo_destroy != NULL) 916 (*(mpc->mpc_ops->mpo_destroy))(mpc); 917 918 LIST_REMOVE(mpc, mpc_list); 919 MAC_POLICY_LIST_UNLOCK(); 920 921 FREE(mpc->mpc_ops, M_MACOPVEC); 922 mpc->mpc_ops = NULL; 923 924 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 925 mpc->mpc_name); 926 927 return (0); 928} 929 930/* 931 * Define an error value precedence, and given two arguments, selects the 932 * value with the higher precedence. 933 */ 934static int 935error_select(int error1, int error2) 936{ 937 938 /* Certain decision-making errors take top priority. */ 939 if (error1 == EDEADLK || error2 == EDEADLK) 940 return (EDEADLK); 941 942 /* Invalid arguments should be reported where possible. */ 943 if (error1 == EINVAL || error2 == EINVAL) 944 return (EINVAL); 945 946 /* Precedence goes to "visibility", with both process and file. */ 947 if (error1 == ESRCH || error2 == ESRCH) 948 return (ESRCH); 949 950 if (error1 == ENOENT || error2 == ENOENT) 951 return (ENOENT); 952 953 /* Precedence goes to DAC/MAC protections. */ 954 if (error1 == EACCES || error2 == EACCES) 955 return (EACCES); 956 957 /* Precedence goes to privilege. */ 958 if (error1 == EPERM || error2 == EPERM) 959 return (EPERM); 960 961 /* Precedence goes to error over success; otherwise, arbitrary. */ 962 if (error1 != 0) 963 return (error1); 964 return (error2); 965} 966 967void 968mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 969{ 970 971 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 972} 973 974void 975mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) 976{ 977 978 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); 979} 980 981/* 982 * Support callout for policies that manage their own externalization 983 * using extended attributes. 984 */ 985static int 986mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) 987{ 988 int error; 989 990 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, 991 &mp->mnt_fslabel); 992 993 return (error); 994} 995 996/* 997 * Given an externalized mac label, internalize it and stamp it on a 998 * vnode. 999 */ 1000static int 1001mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) 1002{ 1003 int error; 1004 1005 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); 1006 1007 return (error); 1008} 1009 1010/* 1011 * Call out to individual policies to update the label in a vnode from 1012 * the mountpoint. 1013 */ 1014void 1015mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) 1016{ 1017 1018 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, 1019 &mp->mnt_fslabel); 1020 1021 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); 1022 if (mac_cache_fslabel_in_vnode) 1023 vp->v_vflag |= VV_CACHEDLABEL; 1024} 1025 1026/* 1027 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes 1028 * to store label data. Can be referenced by filesystems supporting 1029 * extended attributes. 1030 */ 1031int 1032vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) 1033{ 1034 struct vnode *vp = ap->a_vp; 1035 struct mac extmac; 1036 int buflen, error; 1037 1038 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); 1039 1040 /* 1041 * Call out to external policies first. Order doesn't really 1042 * matter, as long as failure of one assures failure of all. 1043 */ 1044 error = mac_update_vnode_from_extattr(vp, vp->v_mount); 1045 if (error) 1046 return (error); 1047 1048 buflen = sizeof(extmac); 1049 error = vn_extattr_get(vp, IO_NODELOCKED, 1050 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, 1051 (char *)&extmac, curthread); 1052 switch (error) { 1053 case 0: 1054 /* Got it */ 1055 break; 1056 1057 case ENOATTR: 1058 /* 1059 * Use the label from the mount point. 1060 */ 1061 mac_update_vnode_from_mount(vp, vp->v_mount); 1062 return (0); 1063 1064 case EOPNOTSUPP: 1065 default: 1066 /* Fail horribly. */ 1067 return (error); 1068 } 1069 1070 if (buflen != sizeof(extmac)) 1071 error = EPERM; /* Fail very closed. */ 1072 if (error == 0) 1073 error = mac_update_vnode_from_externalized(vp, &extmac); 1074 if (error == 0) 1075 vp->v_vflag |= VV_CACHEDLABEL; 1076 else { 1077 struct vattr va; 1078 1079 printf("Corrupted label on %s", 1080 vp->v_mount->mnt_stat.f_mntonname); 1081 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) 1082 printf(" inum %ld", va.va_fileid); 1083 if (mac_debug_label_fallback) { 1084 printf(", falling back.\n"); 1085 mac_update_vnode_from_mount(vp, vp->v_mount); 1086 error = 0; 1087 } else { 1088 printf(".\n"); 1089 error = EPERM; 1090 } 1091 } 1092 1093 return (error); 1094} 1095 1096/* 1097 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle 1098 * the labeling activity outselves. Filesystems should be careful not 1099 * to change their minds regarding whether they support vop_refreshlabel() 1100 * for a vnode or not. Don't cache the vnode here, allow the file 1101 * system code to determine if it's safe to cache. If we update from 1102 * the mount, don't cache since a change to the mount label should affect 1103 * all vnodes. 1104 */ 1105static int 1106vn_refreshlabel(struct vnode *vp, struct ucred *cred) 1107{ 1108 int error; 1109 1110 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); 1111 1112 if (vp->v_mount == NULL) { 1113/* 1114 Eventually, we probably want to special-case refreshing 1115 of deadfs vnodes, and if there's a lock-free race somewhere, 1116 that case might be handled here. 1117 1118 mac_update_vnode_deadfs(vp); 1119 return (0); 1120 */ 1121 /* printf("vn_refreshlabel: null v_mount\n"); */ 1122 if (vp->v_type != VNON) 1123 printf( 1124 "vn_refreshlabel: null v_mount with non-VNON\n"); 1125 return (EBADF); 1126 } 1127 1128 if (vp->v_vflag & VV_CACHEDLABEL) { 1129 mac_vnode_label_cache_hits++; 1130 return (0); 1131 } else 1132 mac_vnode_label_cache_misses++; 1133 1134 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1135 mac_update_vnode_from_mount(vp, vp->v_mount); 1136 return (0); 1137 } 1138 1139 error = VOP_REFRESHLABEL(vp, cred, curthread); 1140 switch (error) { 1141 case EOPNOTSUPP: 1142 /* 1143 * If labels are not supported on this vnode, fall back to 1144 * the label in the mount and propagate it to the vnode. 1145 * There should probably be some sort of policy/flag/decision 1146 * about doing this. 1147 */ 1148 mac_update_vnode_from_mount(vp, vp->v_mount); 1149 error = 0; 1150 default: 1151 return (error); 1152 } 1153} 1154 1155/* 1156 * Helper function for file systems using the vop_std*_ea() calls. This 1157 * function must be called after EA service is available for the vnode, 1158 * but before it's hooked up to the namespace so that the node persists 1159 * if there's a crash, or before it can be accessed. On successful 1160 * commit of the label to disk (etc), do cache the label. 1161 */ 1162int 1163vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) 1164{ 1165 struct mac extmac; 1166 int error; 1167 1168 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); 1169 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1170 mac_update_vnode_from_mount(tvp, tvp->v_mount); 1171 } else { 1172 error = vn_refreshlabel(dvp, cred); 1173 if (error) 1174 return (error); 1175 1176 /* 1177 * Stick the label in the vnode. Then try to write to 1178 * disk. If we fail, return a failure to abort the 1179 * create operation. Really, this failure shouldn't 1180 * happen except in fairly unusual circumstances (out 1181 * of disk, etc). 1182 */ 1183 mac_create_vnode(cred, dvp, tvp); 1184 1185 error = mac_stdcreatevnode_ea(tvp); 1186 if (error) 1187 return (error); 1188 1189 /* 1190 * XXX: Eventually this will go away and all policies will 1191 * directly manage their extended attributes. 1192 */ 1193 error = mac_externalize(&tvp->v_label, &extmac); 1194 if (error) 1195 return (error); 1196 1197 error = vn_extattr_set(tvp, IO_NODELOCKED, 1198 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 1199 sizeof(extmac), (char *)&extmac, curthread); 1200 if (error == 0) 1201 tvp->v_vflag |= VV_CACHEDLABEL; 1202 else { 1203#if 0 1204 /* 1205 * In theory, we could have fall-back behavior here. 1206 * It would probably be incorrect. 1207 */ 1208#endif 1209 return (error); 1210 } 1211 } 1212 1213 return (0); 1214} 1215 1216void 1217mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) 1218{ 1219 int error; 1220 1221 ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); 1222 1223 error = vn_refreshlabel(vp, old); 1224 if (error) { 1225 printf("mac_execve_transition: vn_refreshlabel returned %d\n", 1226 error); 1227 printf("mac_execve_transition: using old vnode label\n"); 1228 } 1229 1230 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); 1231} 1232 1233int 1234mac_execve_will_transition(struct ucred *old, struct vnode *vp) 1235{ 1236 int error, result; 1237 1238 error = vn_refreshlabel(vp, old); 1239 if (error) 1240 return (error); 1241 1242 result = 0; 1243 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1244 1245 return (result); 1246} 1247 1248static void 1249mac_init_label(struct label *label) 1250{ 1251 1252 bzero(label, sizeof(*label)); 1253 label->l_flags = MAC_FLAG_INITIALIZED; 1254} 1255 1256static void 1257mac_init_structmac(struct mac *mac) 1258{ 1259 1260 bzero(mac, sizeof(*mac)); 1261 mac->m_macflags = MAC_FLAG_INITIALIZED; 1262} 1263 1264static void 1265mac_destroy_label(struct label *label) 1266{ 1267 1268 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 1269 ("destroying uninitialized label")); 1270 1271 bzero(label, sizeof(*label)); 1272 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ 1273} 1274 1275int 1276mac_init_mbuf(struct mbuf *m, int how) 1277{ 1278 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1279 1280 /* "how" is one of M_(TRY|DONT)WAIT */ 1281 mac_init_label(&m->m_pkthdr.label); 1282 MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); 1283#ifdef MAC_DEBUG 1284 atomic_add_int(&nmacmbufs, 1); 1285#endif 1286 return (0); 1287} 1288 1289void 1290mac_destroy_mbuf(struct mbuf *m) 1291{ 1292 1293 MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); 1294 mac_destroy_label(&m->m_pkthdr.label); 1295#ifdef MAC_DEBUG 1296 atomic_subtract_int(&nmacmbufs, 1); 1297#endif 1298} 1299 1300void 1301mac_init_cred(struct ucred *cr) 1302{ 1303 1304 mac_init_label(&cr->cr_label); 1305 MAC_PERFORM(init_cred, cr, &cr->cr_label); 1306#ifdef MAC_DEBUG 1307 atomic_add_int(&nmaccreds, 1); 1308#endif 1309} 1310 1311void 1312mac_destroy_cred(struct ucred *cr) 1313{ 1314 1315 MAC_PERFORM(destroy_cred, cr, &cr->cr_label); 1316 mac_destroy_label(&cr->cr_label); 1317#ifdef MAC_DEBUG 1318 atomic_subtract_int(&nmaccreds, 1); 1319#endif 1320} 1321 1322void 1323mac_init_ifnet(struct ifnet *ifp) 1324{ 1325 1326 mac_init_label(&ifp->if_label); 1327 MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); 1328#ifdef MAC_DEBUG 1329 atomic_add_int(&nmacifnets, 1); 1330#endif 1331} 1332 1333void 1334mac_destroy_ifnet(struct ifnet *ifp) 1335{ 1336 1337 MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); 1338 mac_destroy_label(&ifp->if_label); 1339#ifdef MAC_DEBUG 1340 atomic_subtract_int(&nmacifnets, 1); 1341#endif 1342} 1343 1344void 1345mac_init_ipq(struct ipq *ipq) 1346{ 1347 1348 mac_init_label(&ipq->ipq_label); 1349 MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); 1350#ifdef MAC_DEBUG 1351 atomic_add_int(&nmacipqs, 1); 1352#endif 1353} 1354 1355void 1356mac_destroy_ipq(struct ipq *ipq) 1357{ 1358 1359 MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); 1360 mac_destroy_label(&ipq->ipq_label); 1361#ifdef MAC_DEBUG 1362 atomic_subtract_int(&nmacipqs, 1); 1363#endif 1364} 1365 1366void 1367mac_init_socket(struct socket *socket) 1368{ 1369 1370 mac_init_label(&socket->so_label); 1371 mac_init_label(&socket->so_peerlabel); 1372 MAC_PERFORM(init_socket, socket, &socket->so_label, 1373 &socket->so_peerlabel); 1374#ifdef MAC_DEBUG 1375 atomic_add_int(&nmacsockets, 1); 1376#endif 1377} 1378 1379void 1380mac_destroy_socket(struct socket *socket) 1381{ 1382 1383 MAC_PERFORM(destroy_socket, socket, &socket->so_label, 1384 &socket->so_peerlabel); 1385 mac_destroy_label(&socket->so_label); 1386 mac_destroy_label(&socket->so_peerlabel); 1387#ifdef MAC_DEBUG 1388 atomic_subtract_int(&nmacsockets, 1); 1389#endif 1390} 1391 1392void 1393mac_init_pipe(struct pipe *pipe) 1394{ 1395 struct label *label; 1396 1397 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1398 mac_init_label(label); 1399 pipe->pipe_label = label; 1400 pipe->pipe_peer->pipe_label = label; 1401 MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); 1402#ifdef MAC_DEBUG 1403 atomic_add_int(&nmacpipes, 1); 1404#endif 1405} 1406 1407void 1408mac_destroy_pipe(struct pipe *pipe) 1409{ 1410 1411 MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); 1412 mac_destroy_label(pipe->pipe_label); 1413 free(pipe->pipe_label, M_MACPIPELABEL); 1414#ifdef MAC_DEBUG 1415 atomic_subtract_int(&nmacpipes, 1); 1416#endif 1417} 1418 1419void 1420mac_init_bpfdesc(struct bpf_d *bpf_d) 1421{ 1422 1423 mac_init_label(&bpf_d->bd_label); 1424 MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); 1425#ifdef MAC_DEBUG 1426 atomic_add_int(&nmacbpfdescs, 1); 1427#endif 1428} 1429 1430void 1431mac_destroy_bpfdesc(struct bpf_d *bpf_d) 1432{ 1433 1434 MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); 1435 mac_destroy_label(&bpf_d->bd_label); 1436#ifdef MAC_DEBUG 1437 atomic_subtract_int(&nmacbpfdescs, 1); 1438#endif 1439} 1440 1441void 1442mac_init_mount(struct mount *mp) 1443{ 1444 1445 mac_init_label(&mp->mnt_mntlabel); 1446 mac_init_label(&mp->mnt_fslabel); 1447 MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); 1448#ifdef MAC_DEBUG 1449 atomic_add_int(&nmacmounts, 1); 1450#endif 1451} 1452 1453void 1454mac_destroy_mount(struct mount *mp) 1455{ 1456 1457 MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); 1458 mac_destroy_label(&mp->mnt_fslabel); 1459 mac_destroy_label(&mp->mnt_mntlabel); 1460#ifdef MAC_DEBUG 1461 atomic_subtract_int(&nmacmounts, 1); 1462#endif 1463} 1464 1465static void 1466mac_init_temp(struct label *label) 1467{ 1468 1469 mac_init_label(label); 1470 MAC_PERFORM(init_temp, label); 1471#ifdef MAC_DEBUG 1472 atomic_add_int(&nmactemp, 1); 1473#endif 1474} 1475 1476static void 1477mac_destroy_temp(struct label *label) 1478{ 1479 1480 MAC_PERFORM(destroy_temp, label); 1481 mac_destroy_label(label); 1482#ifdef MAC_DEBUG 1483 atomic_subtract_int(&nmactemp, 1); 1484#endif 1485} 1486 1487void 1488mac_init_vnode(struct vnode *vp) 1489{ 1490 1491 mac_init_label(&vp->v_label); 1492 MAC_PERFORM(init_vnode, vp, &vp->v_label); 1493#ifdef MAC_DEBUG 1494 atomic_add_int(&nmacvnodes, 1); 1495#endif 1496} 1497 1498void 1499mac_destroy_vnode(struct vnode *vp) 1500{ 1501 1502 MAC_PERFORM(destroy_vnode, vp, &vp->v_label); 1503 mac_destroy_label(&vp->v_label); 1504#ifdef MAC_DEBUG 1505 atomic_subtract_int(&nmacvnodes, 1); 1506#endif 1507} 1508 1509void 1510mac_init_devfsdirent(struct devfs_dirent *de) 1511{ 1512 1513 mac_init_label(&de->de_label); 1514 MAC_PERFORM(init_devfsdirent, de, &de->de_label); 1515#ifdef MAC_DEBUG 1516 atomic_add_int(&nmacdevfsdirents, 1); 1517#endif 1518} 1519 1520void 1521mac_destroy_devfsdirent(struct devfs_dirent *de) 1522{ 1523 1524 MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); 1525 mac_destroy_label(&de->de_label); 1526#ifdef MAC_DEBUG 1527 atomic_subtract_int(&nmacdevfsdirents, 1); 1528#endif 1529} 1530 1531static int 1532mac_externalize(struct label *label, struct mac *mac) 1533{ 1534 int error; 1535 1536 mac_init_structmac(mac); 1537 MAC_CHECK(externalize, label, mac); 1538 1539 return (error); 1540} 1541 1542static int 1543mac_internalize(struct label *label, struct mac *mac) 1544{ 1545 int error; 1546 1547 mac_init_temp(label); 1548 MAC_CHECK(internalize, label, mac); 1549 if (error) 1550 mac_destroy_temp(label); 1551 1552 return (error); 1553} 1554 1555/* 1556 * Initialize MAC label for the first kernel process, from which other 1557 * kernel processes and threads are spawned. 1558 */ 1559void 1560mac_create_proc0(struct ucred *cred) 1561{ 1562 1563 MAC_PERFORM(create_proc0, cred); 1564} 1565 1566/* 1567 * Initialize MAC label for the first userland process, from which other 1568 * userland processes and threads are spawned. 1569 */ 1570void 1571mac_create_proc1(struct ucred *cred) 1572{ 1573 1574 MAC_PERFORM(create_proc1, cred); 1575} 1576 1577/* 1578 * When a new process is created, its label must be initialized. Generally, 1579 * this involves inheritence from the parent process, modulo possible 1580 * deltas. This function allows that processing to take place. 1581 */ 1582void 1583mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 1584{ 1585 1586 MAC_PERFORM(create_cred, parent_cred, child_cred); 1587} 1588 1589int 1590mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 1591{ 1592 int error; 1593 1594 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1595 1596 if (!mac_enforce_fs) 1597 return (0); 1598 1599 error = vn_refreshlabel(vp, cred); 1600 if (error) 1601 return (error); 1602 1603 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); 1604 return (error); 1605} 1606 1607int 1608mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) 1609{ 1610 int error; 1611 1612 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); 1613 1614 if (!mac_enforce_fs) 1615 return (0); 1616 1617 error = vn_refreshlabel(dvp, cred); 1618 if (error) 1619 return (error); 1620 1621 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); 1622 return (error); 1623} 1624 1625int 1626mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) 1627{ 1628 int error; 1629 1630 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); 1631 1632 if (!mac_enforce_fs) 1633 return (0); 1634 1635 error = vn_refreshlabel(dvp, cred); 1636 if (error) 1637 return (error); 1638 1639 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); 1640 return (error); 1641} 1642 1643int 1644mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1645 struct componentname *cnp, struct vattr *vap) 1646{ 1647 int error; 1648 1649 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); 1650 1651 if (!mac_enforce_fs) 1652 return (0); 1653 1654 error = vn_refreshlabel(dvp, cred); 1655 if (error) 1656 return (error); 1657 1658 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); 1659 return (error); 1660} 1661 1662int 1663mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, 1664 struct componentname *cnp) 1665{ 1666 int error; 1667 1668 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); 1669 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); 1670 1671 if (!mac_enforce_fs) 1672 return (0); 1673 1674 error = vn_refreshlabel(dvp, cred); 1675 if (error) 1676 return (error); 1677 error = vn_refreshlabel(vp, cred); 1678 if (error) 1679 return (error); 1680 1681 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, 1682 &vp->v_label, cnp); 1683 return (error); 1684} 1685 1686int 1687mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1688 acl_type_t type) 1689{ 1690 int error; 1691 1692 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); 1693 1694 if (!mac_enforce_fs) 1695 return (0); 1696 1697 error = vn_refreshlabel(vp, cred); 1698 if (error) 1699 return (error); 1700 1701 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); 1702 return (error); 1703} 1704 1705int 1706mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) 1707{ 1708 int error; 1709 1710 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); 1711 1712 if (!mac_enforce_process && !mac_enforce_fs) 1713 return (0); 1714 1715 error = vn_refreshlabel(vp, cred); 1716 if (error) 1717 return (error); 1718 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); 1719 1720 return (error); 1721} 1722 1723int 1724mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) 1725{ 1726 int error; 1727 1728 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); 1729 1730 if (!mac_enforce_fs) 1731 return (0); 1732 1733 error = vn_refreshlabel(vp, cred); 1734 if (error) 1735 return (error); 1736 1737 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); 1738 return (error); 1739} 1740 1741int 1742mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1743 int attrnamespace, const char *name, struct uio *uio) 1744{ 1745 int error; 1746 1747 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); 1748 1749 if (!mac_enforce_fs) 1750 return (0); 1751 1752 error = vn_refreshlabel(vp, cred); 1753 if (error) 1754 return (error); 1755 1756 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, 1757 attrnamespace, name, uio); 1758 return (error); 1759} 1760 1761int 1762mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1763 struct componentname *cnp) 1764{ 1765 int error; 1766 1767 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); 1768 1769 if (!mac_enforce_fs) 1770 return (0); 1771 1772 error = vn_refreshlabel(dvp, cred); 1773 if (error) 1774 return (error); 1775 1776 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); 1777 return (error); 1778} 1779 1780vm_prot_t 1781mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) 1782{ 1783 vm_prot_t result = VM_PROT_ALL; 1784 1785 if (!mac_enforce_vm) 1786 return (result); 1787 1788 /* 1789 * This should be some sort of MAC_BITWISE, maybe :) 1790 */ 1791 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); 1792 MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, 1793 newmapping); 1794 return (result); 1795} 1796 1797int 1798mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) 1799{ 1800 int error; 1801 1802 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); 1803 1804 if (!mac_enforce_fs) 1805 return (0); 1806 1807 error = vn_refreshlabel(vp, cred); 1808 if (error) 1809 return (error); 1810 1811 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 1812 return (error); 1813} 1814 1815int 1816mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1817 struct vnode *vp) 1818{ 1819 int error; 1820 1821 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 1822 1823 if (!mac_enforce_fs) 1824 return (0); 1825 1826 error = vn_refreshlabel(vp, active_cred); 1827 if (error) 1828 return (error); 1829 1830 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 1831 &vp->v_label); 1832 1833 return (error); 1834} 1835 1836int 1837mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1838 struct vnode *vp) 1839{ 1840 int error; 1841 1842 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 1843 1844 if (!mac_enforce_fs) 1845 return (0); 1846 1847 error = vn_refreshlabel(vp, active_cred); 1848 if (error) 1849 return (error); 1850 1851 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 1852 &vp->v_label); 1853 1854 return (error); 1855} 1856 1857int 1858mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 1859{ 1860 int error; 1861 1862 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); 1863 1864 if (!mac_enforce_fs) 1865 return (0); 1866 1867 error = vn_refreshlabel(dvp, cred); 1868 if (error) 1869 return (error); 1870 1871 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); 1872 return (error); 1873} 1874 1875int 1876mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) 1877{ 1878 int error; 1879 1880 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); 1881 1882 if (!mac_enforce_fs) 1883 return (0); 1884 1885 error = vn_refreshlabel(vp, cred); 1886 if (error) 1887 return (error); 1888 1889 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); 1890 return (error); 1891} 1892 1893static int 1894mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1895 struct label *newlabel) 1896{ 1897 int error; 1898 1899 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); 1900 1901 error = vn_refreshlabel(vp, cred); 1902 if (error) 1903 return (error); 1904 1905 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); 1906 1907 return (error); 1908} 1909 1910int 1911mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1912 struct vnode *vp, struct componentname *cnp) 1913{ 1914 int error; 1915 1916 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); 1917 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); 1918 1919 if (!mac_enforce_fs) 1920 return (0); 1921 1922 error = vn_refreshlabel(dvp, cred); 1923 if (error) 1924 return (error); 1925 error = vn_refreshlabel(vp, cred); 1926 if (error) 1927 return (error); 1928 1929 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, 1930 &vp->v_label, cnp); 1931 return (error); 1932} 1933 1934int 1935mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1936 struct vnode *vp, int samedir, struct componentname *cnp) 1937{ 1938 int error; 1939 1940 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); 1941 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); 1942 1943 if (!mac_enforce_fs) 1944 return (0); 1945 1946 error = vn_refreshlabel(dvp, cred); 1947 if (error) 1948 return (error); 1949 if (vp != NULL) { 1950 error = vn_refreshlabel(vp, cred); 1951 if (error) 1952 return (error); 1953 } 1954 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, 1955 vp != NULL ? &vp->v_label : NULL, samedir, cnp); 1956 return (error); 1957} 1958 1959int 1960mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) 1961{ 1962 int error; 1963 1964 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); 1965 1966 if (!mac_enforce_fs) 1967 return (0); 1968 1969 error = vn_refreshlabel(vp, cred); 1970 if (error) 1971 return (error); 1972 1973 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); 1974 return (error); 1975} 1976 1977int 1978mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, 1979 struct acl *acl) 1980{ 1981 int error; 1982 1983 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); 1984 1985 if (!mac_enforce_fs) 1986 return (0); 1987 1988 error = vn_refreshlabel(vp, cred); 1989 if (error) 1990 return (error); 1991 1992 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); 1993 return (error); 1994} 1995 1996int 1997mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1998 int attrnamespace, const char *name, struct uio *uio) 1999{ 2000 int error; 2001 2002 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); 2003 2004 if (!mac_enforce_fs) 2005 return (0); 2006 2007 error = vn_refreshlabel(vp, cred); 2008 if (error) 2009 return (error); 2010 2011 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, 2012 attrnamespace, name, uio); 2013 return (error); 2014} 2015 2016int 2017mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) 2018{ 2019 int error; 2020 2021 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); 2022 2023 if (!mac_enforce_fs) 2024 return (0); 2025 2026 error = vn_refreshlabel(vp, cred); 2027 if (error) 2028 return (error); 2029 2030 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); 2031 return (error); 2032} 2033 2034int 2035mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) 2036{ 2037 int error; 2038 2039 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); 2040 2041 if (!mac_enforce_fs) 2042 return (0); 2043 2044 error = vn_refreshlabel(vp, cred); 2045 if (error) 2046 return (error); 2047 2048 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); 2049 return (error); 2050} 2051 2052int 2053mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, 2054 gid_t gid) 2055{ 2056 int error; 2057 2058 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); 2059 2060 if (!mac_enforce_fs) 2061 return (0); 2062 2063 error = vn_refreshlabel(vp, cred); 2064 if (error) 2065 return (error); 2066 2067 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); 2068 return (error); 2069} 2070 2071int 2072mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2073 struct timespec atime, struct timespec mtime) 2074{ 2075 int error; 2076 2077 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); 2078 2079 if (!mac_enforce_fs) 2080 return (0); 2081 2082 error = vn_refreshlabel(vp, cred); 2083 if (error) 2084 return (error); 2085 2086 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2087 mtime); 2088 return (error); 2089} 2090 2091int 2092mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2093 struct vnode *vp) 2094{ 2095 int error; 2096 2097 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2098 2099 if (!mac_enforce_fs) 2100 return (0); 2101 2102 error = vn_refreshlabel(vp, active_cred); 2103 if (error) 2104 return (error); 2105 2106 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 2107 &vp->v_label); 2108 return (error); 2109} 2110 2111int 2112mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 2113 struct vnode *vp) 2114{ 2115 int error; 2116 2117 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2118 2119 if (!mac_enforce_fs) 2120 return (0); 2121 2122 error = vn_refreshlabel(vp, active_cred); 2123 if (error) 2124 return (error); 2125 2126 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 2127 &vp->v_label); 2128 2129 return (error); 2130} 2131 2132/* 2133 * When relabeling a process, call out to the policies for the maximum 2134 * permission allowed for each object type we know about in its 2135 * memory space, and revoke access (in the least surprising ways we 2136 * know) when necessary. The process lock is not held here. 2137 */ 2138static void 2139mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) 2140{ 2141 2142 /* XXX freeze all other threads */ 2143 mac_cred_mmapped_drop_perms_recurse(td, cred, 2144 &td->td_proc->p_vmspace->vm_map); 2145 /* XXX allow other threads to continue */ 2146} 2147 2148static __inline const char * 2149prot2str(vm_prot_t prot) 2150{ 2151 2152 switch (prot & VM_PROT_ALL) { 2153 case VM_PROT_READ: 2154 return ("r--"); 2155 case VM_PROT_READ | VM_PROT_WRITE: 2156 return ("rw-"); 2157 case VM_PROT_READ | VM_PROT_EXECUTE: 2158 return ("r-x"); 2159 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: 2160 return ("rwx"); 2161 case VM_PROT_WRITE: 2162 return ("-w-"); 2163 case VM_PROT_EXECUTE: 2164 return ("--x"); 2165 case VM_PROT_WRITE | VM_PROT_EXECUTE: 2166 return ("-wx"); 2167 default: 2168 return ("---"); 2169 } 2170} 2171 2172static void 2173mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, 2174 struct vm_map *map) 2175{ 2176 struct vm_map_entry *vme; 2177 vm_prot_t result, revokeperms; 2178 vm_object_t object; 2179 vm_ooffset_t offset; 2180 struct vnode *vp; 2181 2182 if (!mac_mmap_revocation) 2183 return; 2184 2185 vm_map_lock_read(map); 2186 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 2187 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 2188 mac_cred_mmapped_drop_perms_recurse(td, cred, 2189 vme->object.sub_map); 2190 continue; 2191 } 2192 /* 2193 * Skip over entries that obviously are not shared. 2194 */ 2195 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || 2196 !vme->max_protection) 2197 continue; 2198 /* 2199 * Drill down to the deepest backing object. 2200 */ 2201 offset = vme->offset; 2202 object = vme->object.vm_object; 2203 if (object == NULL) 2204 continue; 2205 while (object->backing_object != NULL) { 2206 object = object->backing_object; 2207 offset += object->backing_object_offset; 2208 } 2209 /* 2210 * At the moment, vm_maps and objects aren't considered 2211 * by the MAC system, so only things with backing by a 2212 * normal object (read: vnodes) are checked. 2213 */ 2214 if (object->type != OBJT_VNODE) 2215 continue; 2216 vp = (struct vnode *)object->handle; 2217 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 2218 result = mac_check_vnode_mmap_prot(cred, vp, 0); 2219 VOP_UNLOCK(vp, 0, td); 2220 /* 2221 * Find out what maximum protection we may be allowing 2222 * now but a policy needs to get removed. 2223 */ 2224 revokeperms = vme->max_protection & ~result; 2225 if (!revokeperms) 2226 continue; 2227 printf("pid %ld: revoking %s perms from %#lx:%ld " 2228 "(max %s/cur %s)\n", (long)td->td_proc->p_pid, 2229 prot2str(revokeperms), (u_long)vme->start, 2230 (long)(vme->end - vme->start), 2231 prot2str(vme->max_protection), prot2str(vme->protection)); 2232 vm_map_lock_upgrade(map); 2233 /* 2234 * This is the really simple case: if a map has more 2235 * max_protection than is allowed, but it's not being 2236 * actually used (that is, the current protection is 2237 * still allowed), we can just wipe it out and do 2238 * nothing more. 2239 */ 2240 if ((vme->protection & revokeperms) == 0) { 2241 vme->max_protection -= revokeperms; 2242 } else { 2243 if (revokeperms & VM_PROT_WRITE) { 2244 /* 2245 * In the more complicated case, flush out all 2246 * pending changes to the object then turn it 2247 * copy-on-write. 2248 */ 2249 vm_object_reference(object); 2250 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 2251 vm_object_page_clean(object, 2252 OFF_TO_IDX(offset), 2253 OFF_TO_IDX(offset + vme->end - vme->start + 2254 PAGE_MASK), 2255 OBJPC_SYNC); 2256 VOP_UNLOCK(vp, 0, td); 2257 vm_object_deallocate(object); 2258 /* 2259 * Why bother if there's no read permissions 2260 * anymore? For the rest, we need to leave 2261 * the write permissions on for COW, or 2262 * remove them entirely if configured to. 2263 */ 2264 if (!mac_mmap_revocation_via_cow) { 2265 vme->max_protection &= ~VM_PROT_WRITE; 2266 vme->protection &= ~VM_PROT_WRITE; 2267 } if ((revokeperms & VM_PROT_READ) == 0) 2268 vme->eflags |= MAP_ENTRY_COW | 2269 MAP_ENTRY_NEEDS_COPY; 2270 } 2271 if (revokeperms & VM_PROT_EXECUTE) { 2272 vme->max_protection &= ~VM_PROT_EXECUTE; 2273 vme->protection &= ~VM_PROT_EXECUTE; 2274 } 2275 if (revokeperms & VM_PROT_READ) { 2276 vme->max_protection = 0; 2277 vme->protection = 0; 2278 } 2279 pmap_protect(map->pmap, vme->start, vme->end, 2280 vme->protection & ~revokeperms); 2281 vm_map_simplify_entry(map, vme); 2282 } 2283 vm_map_lock_downgrade(map); 2284 } 2285 vm_map_unlock_read(map); 2286} 2287 2288/* 2289 * When the subject's label changes, it may require revocation of privilege 2290 * to mapped objects. This can't be done on-the-fly later with a unified 2291 * buffer cache. 2292 */ 2293static void 2294mac_relabel_cred(struct ucred *cred, struct label *newlabel) 2295{ 2296 2297 MAC_PERFORM(relabel_cred, cred, newlabel); 2298} 2299 2300void 2301mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) 2302{ 2303 2304 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); 2305} 2306 2307void 2308mac_create_ifnet(struct ifnet *ifnet) 2309{ 2310 2311 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); 2312} 2313 2314void 2315mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 2316{ 2317 2318 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); 2319} 2320 2321void 2322mac_create_socket(struct ucred *cred, struct socket *socket) 2323{ 2324 2325 MAC_PERFORM(create_socket, cred, socket, &socket->so_label); 2326} 2327 2328void 2329mac_create_pipe(struct ucred *cred, struct pipe *pipe) 2330{ 2331 2332 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); 2333} 2334 2335void 2336mac_create_socket_from_socket(struct socket *oldsocket, 2337 struct socket *newsocket) 2338{ 2339 2340 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, 2341 newsocket, &newsocket->so_label); 2342} 2343 2344static void 2345mac_relabel_socket(struct ucred *cred, struct socket *socket, 2346 struct label *newlabel) 2347{ 2348 2349 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); 2350} 2351 2352static void 2353mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) 2354{ 2355 2356 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); 2357} 2358 2359void 2360mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) 2361{ 2362 2363 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, 2364 socket, &socket->so_peerlabel); 2365} 2366 2367void 2368mac_set_socket_peer_from_socket(struct socket *oldsocket, 2369 struct socket *newsocket) 2370{ 2371 2372 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 2373 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); 2374} 2375 2376void 2377mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) 2378{ 2379 2380 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, 2381 datagram, &datagram->m_pkthdr.label); 2382} 2383 2384void 2385mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) 2386{ 2387 2388 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, 2389 fragment, &fragment->m_pkthdr.label); 2390} 2391 2392void 2393mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) 2394{ 2395 2396 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2397 &ipq->ipq_label); 2398} 2399 2400void 2401mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2402{ 2403 2404 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, 2405 newmbuf, &newmbuf->m_pkthdr.label); 2406} 2407 2408void 2409mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 2410{ 2411 2412 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, 2413 &mbuf->m_pkthdr.label); 2414} 2415 2416void 2417mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 2418{ 2419 2420 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, 2421 &mbuf->m_pkthdr.label); 2422} 2423 2424void 2425mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 2426{ 2427 2428 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, 2429 &mbuf->m_pkthdr.label); 2430} 2431 2432void 2433mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 2434 struct mbuf *newmbuf) 2435{ 2436 2437 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, 2438 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, 2439 &newmbuf->m_pkthdr.label); 2440} 2441 2442void 2443mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2444{ 2445 2446 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, 2447 newmbuf, &newmbuf->m_pkthdr.label); 2448} 2449 2450int 2451mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) 2452{ 2453 int result; 2454 2455 result = 1; 2456 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, 2457 ipq, &ipq->ipq_label); 2458 2459 return (result); 2460} 2461 2462void 2463mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) 2464{ 2465 2466 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2467 &ipq->ipq_label); 2468} 2469 2470void 2471mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) 2472{ 2473 2474 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, 2475 &mbuf->m_pkthdr.label); 2476} 2477 2478void 2479mac_create_mount(struct ucred *cred, struct mount *mp) 2480{ 2481 2482 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, 2483 &mp->mnt_fslabel); 2484} 2485 2486void 2487mac_create_root_mount(struct ucred *cred, struct mount *mp) 2488{ 2489 2490 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, 2491 &mp->mnt_fslabel); 2492} 2493 2494int 2495mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 2496{ 2497 int error; 2498 2499 if (!mac_enforce_network) 2500 return (0); 2501 2502 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, 2503 &ifnet->if_label); 2504 2505 return (error); 2506} 2507 2508static int 2509mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) 2510{ 2511 int error; 2512 2513 MAC_CHECK(check_cred_relabel, cred, newlabel); 2514 2515 return (error); 2516} 2517 2518int 2519mac_check_cred_visible(struct ucred *u1, struct ucred *u2) 2520{ 2521 int error; 2522 2523 if (!mac_enforce_process) 2524 return (0); 2525 2526 MAC_CHECK(check_cred_visible, u1, u2); 2527 2528 return (error); 2529} 2530 2531int 2532mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 2533{ 2534 int error; 2535 2536 if (!mac_enforce_network) 2537 return (0); 2538 2539 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); 2540 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) 2541 printf("%s%d: not initialized\n", ifnet->if_name, 2542 ifnet->if_unit); 2543 2544 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 2545 &mbuf->m_pkthdr.label); 2546 2547 return (error); 2548} 2549 2550int 2551mac_check_mount_stat(struct ucred *cred, struct mount *mount) 2552{ 2553 int error; 2554 2555 if (!mac_enforce_fs) 2556 return (0); 2557 2558 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); 2559 2560 return (error); 2561} 2562 2563int 2564mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, 2565 void *data) 2566{ 2567 int error; 2568 2569 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); 2570 2571 return (error); 2572} 2573 2574int 2575mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) 2576{ 2577 int error; 2578 2579 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); 2580 2581 return (error); 2582} 2583 2584int 2585mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) 2586{ 2587 int error; 2588 2589 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); 2590 2591 return (error); 2592} 2593 2594static int 2595mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 2596 struct label *newlabel) 2597{ 2598 int error; 2599 2600 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); 2601 2602 return (error); 2603} 2604 2605int 2606mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) 2607{ 2608 int error; 2609 2610 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); 2611 2612 return (error); 2613} 2614 2615int 2616mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) 2617{ 2618 int error; 2619 2620 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); 2621 2622 return (error); 2623} 2624 2625int 2626mac_check_proc_debug(struct ucred *cred, struct proc *proc) 2627{ 2628 int error; 2629 2630 PROC_LOCK_ASSERT(proc, MA_OWNED); 2631 2632 if (!mac_enforce_process) 2633 return (0); 2634 2635 MAC_CHECK(check_proc_debug, cred, proc); 2636 2637 return (error); 2638} 2639 2640int 2641mac_check_proc_sched(struct ucred *cred, struct proc *proc) 2642{ 2643 int error; 2644 2645 PROC_LOCK_ASSERT(proc, MA_OWNED); 2646 2647 if (!mac_enforce_process) 2648 return (0); 2649 2650 MAC_CHECK(check_proc_sched, cred, proc); 2651 2652 return (error); 2653} 2654 2655int 2656mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 2657{ 2658 int error; 2659 2660 PROC_LOCK_ASSERT(proc, MA_OWNED); 2661 2662 if (!mac_enforce_process) 2663 return (0); 2664 2665 MAC_CHECK(check_proc_signal, cred, proc, signum); 2666 2667 return (error); 2668} 2669 2670int 2671mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 2672 struct sockaddr *sockaddr) 2673{ 2674 int error; 2675 2676 if (!mac_enforce_socket) 2677 return (0); 2678 2679 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, 2680 sockaddr); 2681 2682 return (error); 2683} 2684 2685int 2686mac_check_socket_connect(struct ucred *cred, struct socket *socket, 2687 struct sockaddr *sockaddr) 2688{ 2689 int error; 2690 2691 if (!mac_enforce_socket) 2692 return (0); 2693 2694 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, 2695 sockaddr); 2696 2697 return (error); 2698} 2699 2700int 2701mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) 2702{ 2703 int error; 2704 2705 if (!mac_enforce_socket) 2706 return (0); 2707 2708 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, 2709 &mbuf->m_pkthdr.label); 2710 2711 return (error); 2712} 2713 2714int 2715mac_check_socket_listen(struct ucred *cred, struct socket *socket) 2716{ 2717 int error; 2718 2719 if (!mac_enforce_socket) 2720 return (0); 2721 2722 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); 2723 return (error); 2724} 2725 2726static int 2727mac_check_socket_relabel(struct ucred *cred, struct socket *socket, 2728 struct label *newlabel) 2729{ 2730 int error; 2731 2732 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, 2733 newlabel); 2734 2735 return (error); 2736} 2737 2738int 2739mac_check_socket_visible(struct ucred *cred, struct socket *socket) 2740{ 2741 int error; 2742 2743 if (!mac_enforce_socket) 2744 return (0); 2745 2746 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); 2747 2748 return (error); 2749} 2750 2751int 2752mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 2753 struct ifnet *ifnet) 2754{ 2755 struct mac label; 2756 int error; 2757 2758 error = mac_externalize(&ifnet->if_label, &label); 2759 if (error) 2760 return (error); 2761 2762 return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); 2763} 2764 2765int 2766mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 2767 struct ifnet *ifnet) 2768{ 2769 struct mac newlabel; 2770 struct label intlabel; 2771 int error; 2772 2773 error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); 2774 if (error) 2775 return (error); 2776 2777 error = mac_internalize(&intlabel, &newlabel); 2778 if (error) 2779 return (error); 2780 2781 /* 2782 * XXX: Note that this is a redundant privilege check, since 2783 * policies impose this check themselves if required by the 2784 * policy. Eventually, this should go away. 2785 */ 2786 error = suser_cred(cred, 0); 2787 if (error) 2788 goto out; 2789 2790 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, 2791 &intlabel); 2792 if (error) 2793 goto out; 2794 2795 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); 2796 2797out: 2798 mac_destroy_temp(&intlabel); 2799 return (error); 2800} 2801 2802void 2803mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) 2804{ 2805 2806 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); 2807} 2808 2809void 2810mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) 2811{ 2812 2813 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); 2814} 2815 2816static int 2817mac_stdcreatevnode_ea(struct vnode *vp) 2818{ 2819 int error; 2820 2821 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); 2822 2823 return (error); 2824} 2825 2826void 2827mac_create_devfs_directory(char *dirname, int dirnamelen, 2828 struct devfs_dirent *de) 2829{ 2830 2831 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, 2832 &de->de_label); 2833} 2834 2835/* 2836 * When a new vnode is created, this call will initialize its label. 2837 */ 2838void 2839mac_create_vnode(struct ucred *cred, struct vnode *parent, 2840 struct vnode *child) 2841{ 2842 int error; 2843 2844 ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); 2845 ASSERT_VOP_LOCKED(child, "mac_create_vnode"); 2846 2847 error = vn_refreshlabel(parent, cred); 2848 if (error) { 2849 printf("mac_create_vnode: vn_refreshlabel returned %d\n", 2850 error); 2851 printf("mac_create_vnode: using old vnode label\n"); 2852 } 2853 2854 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, 2855 &child->v_label); 2856} 2857 2858int 2859mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 2860 struct mac *extmac) 2861{ 2862 struct label intlabel; 2863 int error; 2864 2865 error = mac_internalize(&intlabel, extmac); 2866 if (error) 2867 return (error); 2868 2869 mac_check_socket_relabel(cred, so, &intlabel); 2870 if (error) { 2871 mac_destroy_temp(&intlabel); 2872 return (error); 2873 } 2874 2875 mac_relabel_socket(cred, so, &intlabel); 2876 2877 mac_destroy_temp(&intlabel); 2878 return (0); 2879} 2880 2881int 2882mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) 2883{ 2884 int error; 2885 2886 error = mac_check_pipe_relabel(cred, pipe, label); 2887 if (error) 2888 return (error); 2889 2890 mac_relabel_pipe(cred, pipe, label); 2891 2892 return (0); 2893} 2894 2895int 2896mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 2897 struct mac *extmac) 2898{ 2899 2900 return (mac_externalize(&so->so_label, extmac)); 2901} 2902 2903int 2904mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 2905 struct mac *extmac) 2906{ 2907 2908 return (mac_externalize(&so->so_peerlabel, extmac)); 2909} 2910 2911/* 2912 * Implementation of VOP_SETLABEL() that relies on extended attributes 2913 * to store label data. Can be referenced by filesystems supporting 2914 * extended attributes. 2915 */ 2916int 2917vop_stdsetlabel_ea(struct vop_setlabel_args *ap) 2918{ 2919 struct vnode *vp = ap->a_vp; 2920 struct label *intlabel = ap->a_label; 2921 struct mac extmac; 2922 int error; 2923 2924 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); 2925 2926 /* 2927 * XXX: Eventually call out to EA check/set calls here. 2928 * Be particularly careful to avoid race conditions, 2929 * consistency problems, and stability problems when 2930 * dealing with multiple EAs. In particular, we require 2931 * the ability to write multiple EAs on the same file in 2932 * a single transaction, which the current EA interface 2933 * does not provide. 2934 */ 2935 2936 error = mac_externalize(intlabel, &extmac); 2937 if (error) 2938 return (error); 2939 2940 error = vn_extattr_set(vp, IO_NODELOCKED, 2941 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 2942 sizeof(extmac), (char *)&extmac, curthread); 2943 if (error) 2944 return (error); 2945 2946 mac_relabel_vnode(ap->a_cred, vp, intlabel); 2947 2948 vp->v_vflag |= VV_CACHEDLABEL; 2949 2950 return (0); 2951} 2952 2953static int 2954vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) 2955{ 2956 int error; 2957 2958 if (vp->v_mount == NULL) { 2959 /* printf("vn_setlabel: null v_mount\n"); */ 2960 if (vp->v_type != VNON) 2961 printf("vn_setlabel: null v_mount with non-VNON\n"); 2962 return (EBADF); 2963 } 2964 2965 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) 2966 return (EOPNOTSUPP); 2967 2968 /* 2969 * Multi-phase commit. First check the policies to confirm the 2970 * change is OK. Then commit via the filesystem. Finally, 2971 * update the actual vnode label. Question: maybe the filesystem 2972 * should update the vnode at the end as part of VOP_SETLABEL()? 2973 */ 2974 error = mac_check_vnode_relabel(cred, vp, intlabel); 2975 if (error) 2976 return (error); 2977 2978 /* 2979 * VADMIN provides the opportunity for the filesystem to make 2980 * decisions about who is and is not able to modify labels 2981 * and protections on files. This might not be right. We can't 2982 * assume VOP_SETLABEL() will do it, because we might implement 2983 * that as part of vop_stdsetlabel_ea(). 2984 */ 2985 error = VOP_ACCESS(vp, VADMIN, cred, curthread); 2986 if (error) 2987 return (error); 2988 2989 error = VOP_SETLABEL(vp, intlabel, cred, curthread); 2990 if (error) 2991 return (error); 2992 2993 return (0); 2994} 2995 2996/* 2997 * MPSAFE 2998 */ 2999int 3000__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 3001{ 3002 struct mac extmac; 3003 int error; 3004 3005 error = mac_externalize(&td->td_ucred->cr_label, &extmac); 3006 if (error == 0) 3007 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 3008 3009 return (error); 3010} 3011 3012/* 3013 * MPSAFE 3014 */ 3015int 3016__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3017{ 3018 struct ucred *newcred, *oldcred; 3019 struct proc *p; 3020 struct mac extmac; 3021 struct label intlabel; 3022 int error; 3023 3024 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3025 if (error) 3026 return (error); 3027 3028 error = mac_internalize(&intlabel, &extmac); 3029 if (error) 3030 return (error); 3031 3032 newcred = crget(); 3033 3034 p = td->td_proc; 3035 PROC_LOCK(p); 3036 oldcred = p->p_ucred; 3037 3038 error = mac_check_cred_relabel(oldcred, &intlabel); 3039 if (error) { 3040 PROC_UNLOCK(p); 3041 mac_destroy_temp(&intlabel); 3042 crfree(newcred); 3043 return (error); 3044 } 3045 3046 setsugid(p); 3047 crcopy(newcred, oldcred); 3048 mac_relabel_cred(newcred, &intlabel); 3049 p->p_ucred = newcred; 3050 3051 /* 3052 * Grab additional reference for use while revoking mmaps, prior 3053 * to releasing the proc lock and sharing the cred. 3054 */ 3055 crhold(newcred); 3056 PROC_UNLOCK(p); 3057 3058 mtx_lock(&Giant); 3059 mac_cred_mmapped_drop_perms(td, newcred); 3060 mtx_unlock(&Giant); 3061 3062 crfree(newcred); /* Free revocation reference. */ 3063 crfree(oldcred); 3064 mac_destroy_temp(&intlabel); 3065 return (0); 3066} 3067 3068/* 3069 * MPSAFE 3070 */ 3071int 3072__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3073{ 3074 struct file *fp; 3075 struct mac extmac; 3076 struct vnode *vp; 3077 struct pipe *pipe; 3078 int error; 3079 3080 mtx_lock(&Giant); 3081 3082 error = fget(td, SCARG(uap, fd), &fp); 3083 if (error) 3084 goto out; 3085 3086 switch (fp->f_type) { 3087 case DTYPE_FIFO: 3088 case DTYPE_VNODE: 3089 vp = (struct vnode *)fp->f_data; 3090 3091 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3092 error = vn_refreshlabel(vp, td->td_ucred); 3093 if (error == 0) 3094 error = mac_externalize(&vp->v_label, &extmac); 3095 VOP_UNLOCK(vp, 0, td); 3096 break; 3097 case DTYPE_PIPE: 3098 pipe = (struct pipe *)fp->f_data; 3099 error = mac_externalize(pipe->pipe_label, &extmac); 3100 break; 3101 default: 3102 error = EINVAL; 3103 } 3104 3105 if (error == 0) 3106 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 3107 3108 fdrop(fp, td); 3109 3110out: 3111 mtx_unlock(&Giant); 3112 return (error); 3113} 3114 3115/* 3116 * MPSAFE 3117 */ 3118int 3119__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3120{ 3121 struct nameidata nd; 3122 struct mac extmac; 3123 int error; 3124 3125 mtx_lock(&Giant); 3126 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, 3127 SCARG(uap, path_p), td); 3128 error = namei(&nd); 3129 if (error) 3130 goto out; 3131 3132 error = vn_refreshlabel(nd.ni_vp, td->td_ucred); 3133 if (error == 0) 3134 error = mac_externalize(&nd.ni_vp->v_label, &extmac); 3135 NDFREE(&nd, 0); 3136 if (error) 3137 goto out; 3138 3139 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 3140 3141out: 3142 mtx_unlock(&Giant); 3143 return (error); 3144} 3145 3146/* 3147 * MPSAFE 3148 */ 3149int 3150__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3151{ 3152 struct file *fp; 3153 struct mac extmac; 3154 struct label intlabel; 3155 struct mount *mp; 3156 struct vnode *vp; 3157 struct pipe *pipe; 3158 int error; 3159 3160 mtx_lock(&Giant); 3161 error = fget(td, SCARG(uap, fd), &fp); 3162 if (error) 3163 goto out1; 3164 3165 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3166 if (error) 3167 goto out2; 3168 3169 error = mac_internalize(&intlabel, &extmac); 3170 if (error) 3171 goto out2; 3172 3173 switch (fp->f_type) { 3174 case DTYPE_FIFO: 3175 case DTYPE_VNODE: 3176 vp = (struct vnode *)fp->f_data; 3177 error = vn_start_write(vp, &mp, V_WAIT | PCATCH); 3178 if (error != 0) 3179 break; 3180 3181 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3182 error = vn_setlabel(vp, &intlabel, td->td_ucred); 3183 VOP_UNLOCK(vp, 0, td); 3184 vn_finished_write(mp); 3185 mac_destroy_temp(&intlabel); 3186 break; 3187 case DTYPE_PIPE: 3188 pipe = (struct pipe *)fp->f_data; 3189 error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); 3190 break; 3191 default: 3192 error = EINVAL; 3193 } 3194 3195out2: 3196 fdrop(fp, td); 3197out1: 3198 mtx_unlock(&Giant); 3199 return (error); 3200} 3201 3202/* 3203 * MPSAFE 3204 */ 3205int 3206__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3207{ 3208 struct nameidata nd; 3209 struct mac extmac; 3210 struct label intlabel; 3211 struct mount *mp; 3212 int error; 3213 3214 mtx_lock(&Giant); 3215 3216 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3217 if (error) 3218 goto out; 3219 3220 error = mac_internalize(&intlabel, &extmac); 3221 if (error) 3222 goto out; 3223 3224 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, 3225 SCARG(uap, path_p), td); 3226 error = namei(&nd); 3227 if (error) 3228 goto out2; 3229 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 3230 if (error) 3231 goto out2; 3232 3233 error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); 3234 3235 vn_finished_write(mp); 3236out2: 3237 mac_destroy_temp(&intlabel); 3238 NDFREE(&nd, 0); 3239out: 3240 mtx_unlock(&Giant); 3241 return (error); 3242} 3243 3244int 3245mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3246{ 3247 struct mac_policy_conf *mpc; 3248 char target[MAC_MAX_POLICY_NAME]; 3249 int error; 3250 3251 error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); 3252 if (error) 3253 return (error); 3254 3255 error = ENOSYS; 3256 MAC_POLICY_LIST_BUSY(); 3257 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { 3258 if (strcmp(mpc->mpc_name, target) == 0 && 3259 mpc->mpc_ops->mpo_syscall != NULL) { 3260 error = mpc->mpc_ops->mpo_syscall(td, 3261 SCARG(uap, call), SCARG(uap, arg)); 3262 goto out; 3263 } 3264 } 3265 3266out: 3267 MAC_POLICY_LIST_UNBUSY(); 3268 return (error); 3269} 3270 3271SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); 3272SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); 3273 3274#else /* !MAC */ 3275 3276int 3277__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 3278{ 3279 3280 return (ENOSYS); 3281} 3282 3283int 3284__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3285{ 3286 3287 return (ENOSYS); 3288} 3289 3290int 3291__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3292{ 3293 3294 return (ENOSYS); 3295} 3296 3297int 3298__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3299{ 3300 3301 return (ENOSYS); 3302} 3303 3304int 3305__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3306{ 3307 3308 return (ENOSYS); 3309} 3310 3311int 3312__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3313{ 3314 3315 return (ENOSYS); 3316} 3317 3318int 3319mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3320{ 3321 3322 return (ENOSYS); 3323} 3324 3325#endif /* !MAC */
|